By default Ambari uses an internal database as the user store for authentication and authorization. If you want to add LDAP or Active Directory (AD) external authentication in addition for Ambari Web, you need to collect the following information and run a special setup command. Ambari Server must not be running when you execute this command. An LDAP client must be installed on the Ambari Server host.
Important | |
---|---|
Ambari Server should not be running when you do this: either make the edits before you start Ambari Server the first time or bring the server down to make the edits. |
The following table details the properties and values you need to know to set up LDAP authentication.
Note If you are going to set
bindAnonymously
to false (the default), you need to make sure you have an LDAP Manager name and password set up. If you are going to use SSL, you need to make sure you have already set up your certificate and keys.Table I.2.2. Ambari Server LDAP Properties
Property Values Description authentication.ldap.primaryUrl server:port The hostname and port for the LDAP or AD server.
Example: my.ldap.server:389
authentication.ldap.secondaryUrl server:port The hostname and port for the secondary LDAP or AD server.
Example: my.secondary.ldap.server:389
This is an optional value.
authentication.ldap.useSSL true or false If true, use SSL when connecting to the LDAP or AD server. authentication.ldap. usernameAttribute [LDAP attribute] The attribute for username
Example: uid
authentication.ldap.baseDn [Distinguished Name] The root Distinguished Name to search in the directory for users.
Example:
ou=people,dc=hadoop,dc=apache,dc=org
authentication.ldap. bindAnonymously true or false If true, bind to the LDAP or AD server anonymously authentication.ldap.managerDn [Full Distinguished Name] If Bind anonymous is set to false, the Distinguished Name (“DN”) for the manager.
Example:
uid=hdfs,ou=people,dc=hadoop,dc=apache,dc=org
authentication.ldap. managerPassword [password] If Bind anonymous is set to false, the password for the manager Run the LDAP setup command and answer the prompts with the information you collected above:
ambari-setup setup-ldap
At the Primary URL* prompt, enter the server URL and port you collected above. Prompts marked with an asterisk are required values.
At the Secondary URL prompt, enter the secondary server URL and port. This is optional value.
At the Use SSL* prompt, enter your selection.
At the User name attribute* prompt, enter your selection. The default value is
uid
.At the Base DN* prompt, enter your selection.
At the Bind anonymously* prompt, enter your selection.
At the Manager DN* prompt, enter your selection if you have have set
bind.Anonymously
to false.At the Enter the Manager Password* , enter the password for your LDAP manager.
Review your settings and if they are correct, select y.
Start or restart the Server
ambari-server restart
Initially the users you have enabled all have Ambari User privileges. Ambari Users can read metrics, view service status and configuration, and browse job information. For these new users to be able to start or stop services, modify configurations, and run smoke tests, they need to be Admins. To make this change, use Ambari Web Admin -> Users -> Edit.