1.1.1. Configure Ambari to use LDAP Server

If the LDAPS server certificate is signed by a trusted Certificate Authority, there is no need to import the certificate into Ambari so this section does not apply to you. If the LDAPS server certificate is self-signed, or is signed by an unrecognized certificate authority such as an internal certificate authority, you must import the certificate and create a keystore file. The following example creates a keystore file at /keys/ldaps-keystore.jks, but you can create it anywhere in the file system:

  1. On the Ambari server:

  2. mkdir /keys

  3. $JAVA_HOME/bin/keytool -import -trustcacerts -alias root -file $PATH_TO_YOUR_LDAPS_CERT -keystore /keys/ldaps-keystore.jks

  4. Set a password when prompted. You will use this during ambari-server setup-ldap.

Run the LDAP setup command and answer the prompts with the information you collected above:

ambari-server setup-ldap
  1. At the Primary URL* prompt, enter the server URL and port you collected above. Prompts marked with an asterisk are required values.

  2. At the Secondary URL prompt, enter the secondary server URL and port. This is optional value.

  3. At the Use SSL* prompt, enter your selection. If using LDAPS, enter true.

  4. At the User name attribute* prompt, enter your selection. The default value is uid.

  5. At the Base DN* prompt, enter your selection.

  6. At the Bind anonymously* prompt, enter your selection.

  7. At the Manager DN* prompt, enter your selection if you have set bind.Anonymously to false.

  8. At the Enter the Manager Password* , enter the password for your LDAP manager.

  9. If you set Use SSL* = true in step 3, the following prompt appears: Do you want to provide custom TrustStore for Ambari?

    Consider the following options and respond as appropriate.

    • More secure option: If using a self-signed certificate that you do not want imported to the existing JDK keystore, enter y.

      For example, you want this certificate used only by Ambari, not by any other applications run by JDK on the same host.

      If you choose this option, additional prompts appear. Respond to the additional prompts as follows:

      1. At the TrustStore type prompt, enter jks.

      2. At the Path to TrustStore file prompt, enter /keys/ldaps-keystore.jks (or the actual path to your keystore file).

      3. At the Password for TrustStore prompt, enter the password that you defined for the keystore.

    • Less secure option: If using a self-signed certificate that you want to import and store in the existing, default JDK keystore, enter n.

      1. Convert the SSL certificate to X.509 format, if necessary, by executing the following command:

        openssl x509 -in slapd.pem -out slapd.crt

        Where slapd.crt is the path to the X.509 certificate.

      2. Import the SSL certificate to the existing keystore, for example the default jre certificates storage, using the following instruction:

        /usr/jdk64/jdk1.7.0_45/bin/keytool -import -trustcacerts -file slapd.crt -keystore
        /usr/jdk64/jdk1.7.0_45/jre/lib/security/cacerts

        Where Ambari is set up to use JDK 1.7. Therefore, the certificate must be imported in the JDK 7 keystore.

  10. Review your settings and if they are correct, select y.

  11. Start or restart the Server

    ambari-server restart

    Initially the users you have enabled all have Ambari User privileges. Ambari Users can read metrics, view service status and configuration, and browse job information. For these new users to be able to start or stop services, modify configurations, and run smoke tests, they need to be Admins. To make this change, use Ambari Web Admin -> Users -> Edit.