Created 08-03-2017 04:35 PM
I was able to sync LDAP at one point with Ambari. I'm not sure exactly when it broke. The users were synced before it broke all work fine and show up in Ambari as being Type: LDAP. When I try to run ambari-server sync-ldap with either the --existing option or --groups I get the same output complaining about the hostname. I have verified that hostname -f shows the correct FQDN and it matches what is output in the results of the command below.
ambari-server sync-ldap --existing
Using python /usr/bin/python
Syncing with LDAP...
Enter Ambari Admin login: adminusername
Enter Ambari Admin password:
Syncing existing.ERROR: Exiting with exit code 1.
REASON: Sync event creation failed. Error details: hostname '127.0.0.1' doesn't match u'hiddenhostname.domain.com'
Created 08-25-2017 06:13 AM
So, the main reason we see this error is because the default behaviour for ssl cert verification have changed in python. If you take a look in /etc/python/cert-verification.cfg, you will see that in python-libs-2.7.5-34, the “verify=disable” value was default. But after upgrade of that package to python-libs-2.7.5-58, the value is now “verify=platform_default”. And at least in our system, that means enabled. After changing this back to “verify=disable”, the synchronization works again without having to do the workaround I wrote about earlier. I have verified this on a non-upgraded system by changing it to enabled and that also results in errors for the user synchronization
This error also affect LLAP if you are running that. After upgrade, LLAP wont start because of cert verifications. You will get a “[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)” error message. Changing the verify parameter described above also fixes that problem.
Created 08-03-2017 04:40 PM
What are the host entries in your ambari server /etc/hosts ?
Is the LDAP server entry correct ?
Please revert
Created 08-03-2017 04:51 PM
my /etc/hosts file only contains the 2 standard localhost lines. I have verified that both forward and revers DNS works correctly for the Ambari server and the LDAP server. I did try adding both of them into the /etc/hosts file in the format of "IP FQDN shortname" and that did not seem to make any difference at all. I looked at the ambari.properties file and it has the correct LDAP hostname in it.
Created 08-23-2017 12:54 PM
I just got the exact same error. And the problem came after a “yum update” on a Redhat 7 server. I tested the synchronization just before I upgraded the OS and it worked fine. After the upgrade, I get the same error. I’ll post an answer once I find a solution to the problem
Created 08-24-2017 10:30 AM
@Aaron Norton
One way you can work around this problem is to change "SERVER_API_HOST = '127.0.0.1'" in /usr/lib/python2.6/site-packages/ambari_server/serverUtils.py so it points to your server with the full hostname. That will work around the problem with SSL that we see.
Created 08-24-2017 12:15 PM
Yes that workaround does work. Will wait for a fix before I Accept the solution.
Created 08-25-2017 06:13 AM
So, the main reason we see this error is because the default behaviour for ssl cert verification have changed in python. If you take a look in /etc/python/cert-verification.cfg, you will see that in python-libs-2.7.5-34, the “verify=disable” value was default. But after upgrade of that package to python-libs-2.7.5-58, the value is now “verify=platform_default”. And at least in our system, that means enabled. After changing this back to “verify=disable”, the synchronization works again without having to do the workaround I wrote about earlier. I have verified this on a non-upgraded system by changing it to enabled and that also results in errors for the user synchronization
This error also affect LLAP if you are running that. After upgrade, LLAP wont start because of cert verifications. You will get a “[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)” error message. Changing the verify parameter described above also fixes that problem.
Created 08-25-2017 02:46 PM
Thanks for the detailed explanation Berry!