ambari-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robert Levas <rle...@hortonworks.com>
Subject Re: Ambari Server sync-ldap not pulling group membership info.
Date Mon, 07 Mar 2016 16:12:00 GMT
It appears that your groups do not have any member assigned.  Since you used posixGroup as
the class of our groups, you need add a set up memberUID value to each group for assignment.
 I am not sure how well Ambari handles this and it think it does a better job with groups
that are of the class groupOfUniqueNames where the membership attributes are DN stored in
the uniqueMember property.

Try ldapsearch -x -h ldap.forumsys.com -b ou=scientists,dc=example,dc=com to see an example.
 This lists the scientists group in a public test LDAP server where the groups have the class
of groupOfUniqueNames.

For docs on using Ambari, see https://docs.hortonworks.com/HDPDocuments/Ambari-2.1.2.0/bk_Ambari_Security_Guide/content/_configuring_ambari_for_ldap_or_active_directory_authentication.html.

Rob



From: Pratip Ghosh <pratip.ghosh@planwell.com<mailto:pratip.ghosh@planwell.com>>
Reply-To: "user@ambari.apache.org<mailto:user@ambari.apache.org>" <user@ambari.apache.org<mailto:user@ambari.apache.org>>
Date: Monday, March 7, 2016 at 9:14 AM
To: "user@ambari.apache.org<mailto:user@ambari.apache.org>" <user@ambari.apache.org<mailto:user@ambari.apache.org>>
Subject: Re: Ambari Server sync-ldap not pulling group membership info.

Hello Rob,

Thank you for your reply.

1) I am using apache ambari version 2.1.2


2) authentication.ldap.groupMembershipAttr value in my ambari.properties file is as following.

authentication.ldap.groupMembershipAttr=memberUid


3) The schema of my ldap server is as following.

++++++++++++++++++++++++++++

~# ldapsearch -x -h ldapserver.arcbigdata.com -b "dc=arcbigdata,dc=com"
# extended LDIF
#
# LDAPv3
# base <dc=arcbigdata,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# arcbigdata.com
dn: dc=arcbigdata,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: ARC
dc: arcbigdata

# admin, arcbigdata.com
dn: cn=admin,dc=arcbigdata,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator

# groups, arcbigdata.com
dn: ou=groups,dc=arcbigdata,dc=com
objectClass: organizationalUnit
objectClass: top
ou: groups

# hadoop_admin, groups, arcbigdata.com
dn: cn=hadoop_admin,ou=groups,dc=arcbigdata,dc=com
gidNumber: 500
objectClass: posixGroup
objectClass: top
cn: hadoop_admin

# hadoop_operator, groups, arcbigdata.com
dn: cn=hadoop_operator,ou=groups,dc=arcbigdata,dc=com
gidNumber: 501
cn: hadoop_operator
objectClass: posixGroup
objectClass: top

# hadoop_users, groups, arcbigdata.com
dn: cn=hadoop_users,ou=groups,dc=arcbigdata,dc=com
gidNumber: 502
cn: hadoop_users
objectClass: posixGroup
objectClass: top

# huser1, hadoop_users, groups, arcbigdata.com
dn: cn=huser1,cn=hadoop_users,ou=groups,dc=arcbigdata,dc=com
cn: huser1
givenName: h
gidNumber: 502
homeDirectory: /home/users/huser1
sn: user1
loginShell: /bin/sh
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
uidNumber: 1000
uid: huser1

# hoperator1, hadoop_operator, groups, arcbigdata.com
dn: cn=hoperator1,cn=hadoop_operator,ou=groups,dc=arcbigdata,dc=com
cn: hoperator1
givenName: h
gidNumber: 501
homeDirectory: /home/users/hoperator1
sn: operator1
loginShell: /bin/sh
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
uidNumber: 1001
uid: hoperator1

# hadmin1, hadoop_admin, groups, arcbigdata.com
dn: cn=hadmin1,cn=hadoop_admin,ou=groups,dc=arcbigdata,dc=com
cn: hadmin1
givenName: h
gidNumber: 500
homeDirectory: /home/users/hadmin1
sn: admin1
loginShell: /bin/sh
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
uidNumber: 1002
uid: hadmin1

# search result
search: 2
result: 0 Success

# numResponses: 10
# numEntries: 9

++++++++++++++++++++++++++++++++++++++++++


As I am not very much familiar with LDAP so may be I am providing wrong value in authentication.ldap.groupMembershipAttr.

Can you please help me on this?


Regards,
Pratip

On Monday 07 March 2016 06:57 PM, Robert Levas wrote:

What version of Ambari and LDAP server are you using. I believe before Ambari 2.1 there was
an issue syncing with OpenLDAP.

Maybe you are hitting this issue.  Else maybe there is an issue with your configuration where
the group membership link isn correct and Ambari is trying to look up an incorrect field.
 Make sure the authentication.ldap.groupMembershipAttr value in your ambari.properties file
matches the schema in your LDAP sever.


Rob





On 3/7/16, 7:59 AM, "Pratip Ghosh" <pratip.ghosh@planwell.com><mailto:pratip.ghosh@planwell.com>
wrote:



Hi

I want to sync membership info just like users & groups from LDAP to
ambari database but its not happening in actual.
All users and groups ware syncing but membership not syncing from LDAP
to ambari.

Can anybody help me out on this?

*********************************************

# ambari-server sync-ldap --all
Using python  /usr/bin/python2.7
Syncing with LDAP...
Enter Ambari Admin login: admin
Enter Ambari Admin password:
Syncing
all..................................................................

Completed LDAP Sync.
Summary:
  memberships:
    removed = 0
    created = 0
  users:
    updated = 0
    removed = 2
    created = 1
  groups:
    updated = 0
    removed = 3
    created = 3

Ambari Server 'sync-ldap' completed successfully.

*********************************************************




Mime
View raw message