Support Questions
Find answers, ask questions, and share your expertise

permission denied while copying ldap server public key to the cluster node

Expert Contributor


I want to sync cluster user,Ambari user and Ranger user. so I configured LDAP server on AWS instance, created group and user on LDAP server. Now, I am trying to sync this user with Hadoop cluster node. I have installed nss-pam-ldapd, openldap-clients, openssl, sssd on client machine. when i am trying to copy LDAP server public key to the client machine it shows following error:

  scp root@ip-xx-x-x-xxx.ec2.internal:/etc/pki/tls/certs/ldap1_pubkey.pem /etc/openldap/cacerts/

  Permission denied (publickey).

I am using Putty to login to the Host and client. created private key for the key used while creating cluster and LDAP instance. I have added private key to the putty for authentication for both client and host.

I am new to LDAP. can anyone help me out to get over this error ?

Thank You.



@heta desai

From description I understand that you want to sync the ldap user with ambari and your ldap is on ssl. so in order to have proper communication you want to add ldap certificate to cacerts ( default java truststore )

You can try following

Step 1 : Get the ldap cert

#echo | openssl s_client -connect <ldap_hostname>:<port> -showcerts2>&1 | sed--quiet '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ldap.crt
</p><p>Step 2 : Add this cert to Default Java Truststore</p><pre>/usr/lib/jvm/java-1.8.0/bin/keytool -import -file ldap.crt -alias ldap-cert -keystore /etc/pki/java/cacerts -storepass changeit 

Note : default password is `changeit`

Expert Contributor

@Rishi I have to perform this steps on client machine ?


@heta desai You have to perfrom this on Ambari-server node

Expert Contributor


step 1 throws following error

-bash: sed--quiet: command not found 
unknown option -showcerts2


Could you please try this instead

openssl s_client -connect <ldap>:<port> <<<'' | openssl x509 -out /tmp/ldap.cert

Expert Contributor

As a alternative I used winscp to copy LDAP server public key.


; ;