ambari-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robert Levas <rle...@hortonworks.com>
Subject Re: sync LDAP behavior
Date Fri, 19 Feb 2016 13:02:15 GMT
Hi Keta…

What version of Ambari are you using? My guess is 2.2.0.  If so, I think you may have bumped
into the bug fixed in https://issues.apache.org/jira/browse/AMBARI-15031, which will be released
in Ambari version 2.2.2 - I am not sure of the release date for that. 

Unfortunately, to perform subsequent sync-all operations with your current version, you will
need to clear out the imported LDAP groups and associated metadata from the Ambari database.
 Else you will be able to sync an explicit set of groups using the —group option. 

To clear out the imported groups and associated metadata from the Ambari database (after backing
up your database), you will need to delete all groups from the `groups` table where `ldap_group`=1.
 You will also need to remove all records from the `adminprincipal` table where the `principal_id`
equals the `groups.principal_id` for the relevant records.  So something like this should
do the trick.

	DELETE FROM adminprincipal WHERE principal_id IN (SELECT principal_id FROM groups WHERE ldap_group=1);
	DELETE FROM groups WHERE ldap_group=1;


Rob





On 2/18/16, 8:00 PM, "Keta Patel" <keta.mahendrakumar.patel@gmail.com> wrote:

>Adding more detail to my question:
>
>The following is what I see when I perform sync-ldap consecutively.
>*The very 1st call:*
>>>ambari-server sync-ldap --all
>
>*Result:*
>Using python  /usr/bin/python2
>Syncing with LDAP...
>Enter Ambari Admin login: admin
>Enter Ambari Admin password:
>Syncing all...
>
>Completed LDAP Sync.
>Summary:
>  memberships:
>    removed = 0
>    created = 0
>  users:
>    updated = 0
>    removed = 0
>    created = 0
>  groups:
>    updated = 0
>    removed = 0
>    created = 2
>
>Ambari Server 'sync-ldap' completed successfully.
>
>
>
>
>*The 2nd time I call:*
>>>ambari-server sync-ldap --all
>
>*Result:*
>Using python  /usr/bin/python2
>Syncing with LDAP...
>Enter Ambari Admin login: admin
>Enter Ambari Admin password:
>Syncing all...ERROR: Exiting with exit code 1.
>REASON: Caught exception running LDAP sync. Exception [EclipseLink-4002]
>(Eclipse Persistence Services - 2.5.2.v20140319-9ad6abd):
>org.eclipse.persistence.exceptions.DatabaseException
>Internal Exception: java.sql.BatchUpdateException: Batch entry 0 INSERT
>INTO groups (group_id, group_name, ldap_group, principal_id) VALUES (524,
>'sheetsg9', 1, 5527) was aborted.  Call getNextException to see the cause.
>Error Code: 0
>Call: INSERT INTO groups (group_id, group_name, ldap_group, principal_id)
>VALUES (?, ?, ?, ?)
>    bind => [4 parameters bound]
>
>
>
>The only difference I found with the LDAP group "sheetsg9" when compared to
>the other LDAP groups was that *it had no users associated with it.*
>The workaround involves deleting that group from the "groups" table in the
>DB and syncing again. The sync goes through fine after that.
>
>Is this the expected behavior of "sync-ldap --all" or is the case of
>handling groups with no users not handled properly?
>
>On Thu, Feb 18, 2016 at 3:27 PM, Keta Patel <
>keta.mahendrakumar.patel@gmail.com> wrote:
>
>> Hello all,
>> What is the expected behavior of "ambari-server sync-ldap --all" on the
>> 2nd or later calls?
>>
>> Thank you!
>> Keta
>>
Mime
View raw message