FreeIPA LDAP setup example
If the users for whom you want to enable authentication into Ambari UI are stored in FreeIPA, you should configure Ambari to integrate directly against your IPA instance. Selecting IPA as an LDAP type helps the wizard configure some smarter defaults for the the attribute values that tend to work in most IPA instances.
To configure LDAP integration against IPA using the cli wizard:
FreeIPA Tips for determining LDAP Search Properties:
- IPA Clients contain /etc/ipa/default.conf with various LDAP
server
properties:
[root@demo ~]# cat /etc/ipa/default.conf basedn = dc=hortonworks,dc=site realm = HORTONWORKS.SITE domain = hortonworks.site server = ipa.hortonworks.site
- Determining valid user attributes (posixaccount, uid, etc):
ipa user-show hadoopadmin --raw --all
- Determining valid group attributes (posixgroup, member, memberUid, etc):
ipa group-show admins --raw --all
- Verifying ldapbind account and search base using ldapsearch
[root@demo ~]# yum install -y openldap-clients # Test ldap bind properties AM_LDAP_SEARCHBASE="cn=accounts,dc=hortonworks,dc=site" AM_LDAP_BINDDN="uid=ldapbind,cn=users,cn=accounts,dc=hortonworks,dc=site" AM_LDAP_BINDDN_PW="BadPass#1" AM_LDAP_URL=ldaps://ipa.hortonworks.com:636 # Search for a valid uid and ensure the searchbase, bind dn, and ldapurl resolve properly [root@demo ~]# ldapsearch -D ${AM_LDAP_BINDDN} \ -w ${AM_LDAP_BINDDN_PW} \ -b ${AM_LDAP_SEARCHBASE} \ -H ${AM_LDAP_URL} uid=hadoopadmin # Tail results of a valid ldapsearch for a single uid: numResponses: 2 numEntries: 1
Example configuring LDAP integration against IPA:
Using interactive CLI:
[root@demo certificates]# ambari-server setup-ldap
Currently 'no auth method' is configured, do you wish to use LDAP instead [y/n] (y)?
Please select the type of LDAP you want to use (AD, IPA, Generic LDAP):IPA
Primary LDAP Host (ipa.ambari.apache.org): ipa.hortonworks.com
Primary LDAP Port (636):
Secondary LDAP Host <Optional>:
Secondary LDAP Port <Optional>:
Use SSL [true/false] (true):
Do you want to provide custom TrustStore for Ambari [y/n] (y)?
TrustStore type [jks/jceks/pkcs12] (jks):
Path to TrustStore file (/etc/pki/java/cacerts):
Password for TrustStore:
Re-enter password:
User object class (posixUser):posixaccount
User ID attribute (uid):
Group object class (posixGroup):
Group name attribute (cn):
Group member attribute (memberUid):member
Distinguished name attribute (dn):
Search Base (dc=ambari,dc=apache,dc=org): cn=accounts,dc=hortonworks,dc=site
Referral method [follow/ignore] (follow):
Bind anonymously [true/false] (false):
Bind DN (uid=ldapbind,cn=users,cn=accounts,dc=ambari,dc=apache,dc=org): uid=ldapbind,cn=users,cn=accounts,dc=hortonworks,dc=site
Enter Bind DN Password:
Confirm Bind DN Password:
Handling behavior for username collisions [convert/skip] for LDAP sync (skip):
Force lower-case user names [true/false]:
Results from LDAP are paginated when requested [true/false]:
Note | |
---|---|
In Ambari 2.7.1, the User Object Class and Group Object Class defaults of the IPA defaults must be overwritten. |
Using non-interactive CLI:
ambari-server setup-ldap \
--ldap-url=ipa.hortonworks.site:636 \
--ldap-user-class=posixAccount \
--ldap-user-attr=uid \
--ldap-group-class=posixGroup \
--ldap-ssl=true \
--ldap-referral="follow" \
--ldap-group-attr=cn \
--ldap-member-attr=member \
--ldap-dn=dn \
--ldap-base-dn=cn=accounts,dc=hortonworks,dc=site \
--ldap-bind-anonym=false \
--ldap-manager-dn=uid=ldapbind,cn=users,cn=accounts,dc=hortonworks,dc=site \
--ldap-manager-password=BadPass#1 \
--ldap-save-settings \
--ldap-sync-username-collisions-behavior=convert \
--ldap-force-setup \
--ldap-force-lowercase-usernames=true \
--ldap-pagination-enabled=false \
--ambari-admin-username=admin \
--ambari-admin-password=adminpassword \
--truststore-type=jks \
--truststore-path=/etc/pki/java/cacerts \
--truststore-password=changeit \
--ldap-secondary-host="" \
--ldap-secondary-port=0
Note | |
---|---|
In Ambari 2.7.1, the ldap-type can must be passed in interactively. |