Hadoop Security Guide
Also available as:
PDF
loading table of contents...

Synchronizing LDAP Users and Groups

Run the LDAP synchronize command and answer the prompts to initiate the sync:

ambari-server sync-ldap [option]

[Note]Note

To perform this operation, your Ambari Server must be running.

  • When prompted, you must provide credentials for an Ambari Admin.

  • When syncing ldap, Local user accounts with matching username will switch to LDAP type, which means their authentication will be against the external LDAP and not against the Local Ambari user store.

  • LDAP sync only syncs up-to-1000 users. If your LDAP contains over 1000 users and you plan to import over 1000 users, you must use the --users option when syncing and specify a filtered list of users to perform import in batches.

The utility provides three options for synchronization:

  • Specific set of users and groups, or

  • Synchronize the existing users and groups in Ambari with LDAP, or

  • All users and groups

Review log files for failed synchronization attempts, at /var/log/ambari-server/ambari-server.log on the Ambari Server host.

[Note]Note

When synchronizing LDAP users and groups, Ambari uses LDAP results paging controls to synchronize large numbers of LDAP objects. Most modern LDAP servers support these control, but for those that do not, such as Oracle Directory Server Enterprise Edition 11g, Ambari introduces a configuration parameter to disable pagination. The authentication.ldap.pagination.enabled property can be set to false in the /etc/ambari-server/conf/ambari-properties file to disable result paging controls. This will limit the maximum number of entities that can be imported at any given time to the maximum result limit of the LDAP server. To work around this, import sets of users or groups using the -users and -groups options covered in section 3.1.4 - Specific Set of Users and Groups.