ambari-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jarosław Czarniak (JIRA) <j...@apache.org>
Subject [jira] [Updated] (AMBARI-9617) sync-ldap doesn't check all returned atributes
Date Tue, 21 Jul 2015 08:20:04 GMT

     [ https://issues.apache.org/jira/browse/AMBARI-9617?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Jarosław Czarniak updated AMBARI-9617:
--------------------------------------
    Affects Version/s: 2.1.2

> sync-ldap doesn't check all returned atributes
> ----------------------------------------------
>
>                 Key: AMBARI-9617
>                 URL: https://issues.apache.org/jira/browse/AMBARI-9617
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-admin
>    Affects Versions: 1.7.0, 2.1.2
>            Reporter: Jarosław Czarniak
>
> When I tried to sync our AD accounts with ambari I notice that ambari search only for
_authentication.ldap.usernameAttribute_ and _uid_ in answer. It's quite all right if standard
answer contains this atributes.
> Here is our AD question and answer from wireshark:
> {noformat}
> Filter: (&(objectClass=Person)(sAMAccountName=czarniak))
> {noformat}
> {noformat}
> Lightweight Directory Access Protocol
> LDAPMessage searchResEntry(2) "CN=Czarniak Jarosław,OU=Pracownicy,OU=wp-sa,DC=ad,DC=wp-sa,DC=pl"
[1 result]
> messageID: 2
> protocolOp: searchResEntry (4)
> searchResEntry
> objectName: CN=Czarniak Jaros\357\277\275\357\277\275aw,OU=Pracownicy,OU=wp-sa,DC=ad,DC=wp-sa,DC=pl
> attributes: 110 items
> Response To: 7
> Time: 0.021746000 seconds
> {noformat}
> As you can see answer is "CN=Czarniak Jarosław,OU=Pracownicy,OU=wp-sa,DC=ad,DC=wp-sa,DC=pl"
and there are 110 atributes attachted. _sAMAccountName_ is one of them:
> {noformat}
> PartialAttributeList item sAMAccountName
> type: sAMAccountName
> vals: 1 item
> AttributeValue: czarniak
> {noformat}
> As a result of ignoring attached atributes array, ambari skip that account (and any other
account as well):
> {noformat}
> 16:48:38,270  WARN [pool-1-thread-9] AmbariLdapDataPopulator:560 - Ignoring LDAP user
cn=Czarniak Jarosław,ou=Pracownicy,ou=wp-sa,dc=ad,dc=wp-sa,dc=pl as it doesn't have required
attributes uid and sAMAccountName
> 16:50:24,556  INFO [qtp214227661-23] PersistKeyValueService:82 - Looking for keyName
CLUSTER_CURRENT_STATUS                                     
> 16:50:24,726  INFO [qtp214227661-22] PersistKeyValueService:82 - Looking for keyName
CLUSTER_CURRENT_STATUS
> {noformat}
> I think ambari must scan all provided atributes not only first or make possible to create
some type of filters...
> My Ambari/ldap configuration:
> {noformat}
> ====================
> Review Settings
> ====================
> authentication.ldap.primaryUrl: x.x.x.x:389
> authentication.ldap.secondaryUrl: y.y.y.y:389
> authentication.ldap.useSSL: false
> authentication.ldap.userObjectClass: Person
> authentication.ldap.usernameAttribute: sAMAccountName
> authentication.ldap.groupObjectClass: posixGroup
> authentication.ldap.groupNamingAttr: systemauth
> authentication.ldap.groupMembershipAttr: memberUid
> authentication.ldap.baseDn: OU=Pracownicy,OU=wp-sa,DC=ad,DC=wp-sa,DC=pl
> authentication.ldap.bindAnonymously: false
> authentication.ldap.managerDn: CN=XYZ,OU=Techniczne,OU=wp-sa,DC=ad,DC=wp-sa,DC=pl
> authentication.ldap.managerPassword: *****
> Save settings [y/n] (y)? y
> Saving...done
> {noformat}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message