ambari-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Lars Francke (JIRA)" <j...@apache.org>
Subject [jira] [Created] (AMBARI-20870) Change default template for AD user creation to avoid cn attribute length violations (don't use principal_name)
Date Thu, 27 Apr 2017 12:37:04 GMT
Lars Francke created AMBARI-20870:
-------------------------------------

             Summary: Change default template for AD user creation to avoid cn attribute length
violations (don't use principal_name)
                 Key: AMBARI-20870
                 URL: https://issues.apache.org/jira/browse/AMBARI-20870
             Project: Ambari
          Issue Type: Improvement
          Components: ambari-server
    Affects Versions: 2.5.0
            Reporter: Lars Francke
            Priority: Minor


Currently the default template used for the LDAP add command when creating new principals
in Active Directory uses the {{$principal_name}} variable for the {{cn}} attribute.

That is not a good default as the {{cn}} attribute has a maximum length of 64 characters in
AD which cannot be changed.

This seems like a long hostname but those are the internal defaults used by Azure.

Ambari fails with error messages like this when it encounters this problem:
{quote}
[LDAP: error code 19 - 00002082: AtrErr: DSID-031519A3, #1:
        0: 00002082: DSID-031519A3, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 3 (cn):len
130
^@]; remaining name '"cn=HTTP/hadoop-4.olqwyiw03eme1ddz0ehc2qhhdh.ax.internal.cloudapp.net,CN=Users,DC=AZURE,DC=OPENCORE,DC=COM"'
{quote}

Ambari could
* a) either warn when it detects a {{cn}} longer than 64 characters and suggest to use a different
template
* or b) use a different default value for the cn. I propose a user chosen prefix plus something
like the {{principal_digest}}
* c) something else I can't think of now.

I'm in favor of b). Yes it can be done today when changing the template but it's not obvious
what the error is and changing the default could prevent this whole issue from ever occurring.

The only downside is that it's not as easy as it was before to browse the users in AD. One
needs to do a search to find a specific user or manually click through all of them.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message