If the LDAPS server certificate is signed by a trusted Certificate Authority, there is no need to import the certificate into Ambari so this section does not apply to you. If the LDAPS server certificate is self-signed, or is signed by an unrecognized certificate authority such as an internal certificate authority, you must import the certificate and create a keystore file. The following example creates a keystore file at /keys/ldaps-keystore.jks, but you can create it anywhere in the file system:
On the Ambari server:
mkdir /keys
$JAVA_HOME/bin/keytool -import -trustcacerts -alias root -file $PATH_TO_YOUR_LDAPS_CERT -keystore /keys/ldaps-keystore.jks
Set a password when prompted. You will use this during ambari-server setup-ldap.
Run the LDAP setup command and answer the prompts with the information you collected above:
ambari-server setup-ldap
At the Primary URL* prompt, enter the server URL and port you collected above. Prompts marked with an asterisk are required values.
At the Secondary URL prompt, enter the secondary server URL and port. This is optional value.
At the Use SSL* prompt, enter your selection. If using LDAPS, enter true.
At the User name attribute* prompt, enter your selection. The default value is
uid
.At the Base DN* prompt, enter your selection.
At the Bind anonymously* prompt, enter your selection.
At the Manager DN* prompt, enter your selection if you have set
bind.Anonymously
to false.At the Enter the Manager Password* , enter the password for your LDAP manager.
If you set Use SSL* = true in step 3, additional prompts appear. Respond as follows to the addtional prompts:
At the Do you want to provide custom TrustStore for Ambari? prompt, if using a self-signed certificate, enter y. Otherwise, enter n.
If you enter y, additional prompts appear. Respond as follows to the addtional prompts:
At the TrustStore type prompt, enter jks.
At the Path to TrustStore file prompt, enter /keys/ldaps-keystore.jks (or the actual path to your keystore file)
At the Password for TrustStore prompt, enter the password that you defined for the keystore.
Review your settings and if they are correct, select y.
Start or restart the Server
ambari-server restart
Initially the users you have enabled all have Ambari User privileges. Ambari Users can read metrics, view service status and configuration, and browse job information. For these new users to be able to start or stop services, modify configurations, and run smoke tests, they need to be Admins. To make this change, use Ambari Web Admin -> Users -> Edit.