Configuring Ambari Authentication with LDAP/AD
Also available as:
PDF

FreeIPA LDAP setup example

If the users for whom you want to enable authentication into Ambari UI are stored in FreeIPA, you should configure Ambari to integrate directly against your IPA instance. Selecting IPA as an LDAP type helps the wizard configure some smarter defaults for the the attribute values that tend to work in most IPA instances.

Gather details about your FreeIPA instance from your IPA administrator (or use the Tips below) and provide them as input to the cli wizard. Be sure to provide your own searchbase, and verify the attribute settings before confirming.

To configure LDAP integration against IPA using the cli wizard:

  1. Run ambari-server setup-ldap on the Ambari server host.
  2. Provide the following information about your domain.
    PromptExample value for IPA
    Please select the type of LDAP you want to use : IPA
    Primary URL Host* ipa.hortonworks.site
    Primary URL Port 636
    Secondary URL Host (optional)  
    Secondary URL Port (optional)  
    Use SSL* true
    Do you want to provide custom TrustStore for Ambari [y/n] y
    TrustStore type jks
    Path to TrustStore /etc/pki/java/cacerts
    Password for TrustStore changeit
    User object class posixaccount
    User name attribute* uid
    Group object class* posixGroup
    Group name attribute* cn
    Group member attribute* member
    Distinguished name attribute* dn
    Search Base cn=accounts,dc=hortonworks,dc=site
    Referral method* follow
    Bind anonymously* true
    Bind DN: uid=ldapbind,cn=users,cn=accounts,dc=hortonworks,dc=site
    Bind DN Password:  
    Handling behavior for username collisions: convert
    Force lower-case user names true
    Results from LDAP are paginated when requested false
  3. Note
    Note

    The truststore configuration can leverage the IPA CA created during ipa-client installation at /etc/pki/cacerts/java.

    See Choosing options during ambari-server setup-ldap for more details.

    Restart Ambari Server.
    A restart is required before Ambari can leverage the custom truststore.
  4. Verify your default settings.
FreeIPA Tips for determining LDAP Search Properties:
  • IPA Clients contain /etc/ipa/default.conf with various LDAP server properties:
    [root@demo ~]# cat /etc/ipa/default.conf 
      basedn = dc=hortonworks,dc=site
      realm = HORTONWORKS.SITE
      domain = hortonworks.site
      server = ipa.hortonworks.site
  • Determining valid user attributes (posixaccount, uid, etc): ipa user-show hadoopadmin --raw --all
  • Determining valid group attributes (posixgroup, member, memberUid, etc): ipa group-show admins --raw --all
  • Verifying ldapbind account and search base using ldapsearch
    [root@demo ~]# yum install -y openldap-clients 
    
    # Test ldap bind properties
    AM_LDAP_SEARCHBASE="cn=accounts,dc=hortonworks,dc=site"
    AM_LDAP_BINDDN="uid=ldapbind,cn=users,cn=accounts,dc=hortonworks,dc=site"
    AM_LDAP_BINDDN_PW="BadPass#1"
    AM_LDAP_URL=ldaps://ipa.hortonworks.com:636
    
    # Search for a valid uid and ensure the searchbase, bind dn, and ldapurl resolve properly
    [root@demo ~]# ldapsearch -D ${AM_LDAP_BINDDN} \
    -w ${AM_LDAP_BINDDN_PW} \
    -b ${AM_LDAP_SEARCHBASE} \
    -H ${AM_LDAP_URL} uid=hadoopadmin
    
    # Tail results of a valid ldapsearch for a single uid:
    numResponses: 2
    numEntries: 1
Example configuring LDAP integration against IPA:

Using interactive CLI:

[root@demo certificates]# ambari-server setup-ldap
Currently 'no auth method' is configured, do you wish to use LDAP instead [y/n] (y)?
Please select the type of LDAP you want to use (AD, IPA, Generic LDAP):IPA
Primary LDAP Host (ipa.ambari.apache.org): ipa.hortonworks.com 
Primary LDAP Port (636):
Secondary LDAP Host <Optional>:
Secondary LDAP Port <Optional>:
Use SSL [true/false] (true):
Do you want to provide custom TrustStore for Ambari [y/n] (y)?
TrustStore type [jks/jceks/pkcs12] (jks):
Path to TrustStore file (/etc/pki/java/cacerts):
Password for TrustStore:
Re-enter password:
User object class (posixUser):posixaccount
User ID attribute (uid):
Group object class (posixGroup):
Group name attribute (cn):
Group member attribute (memberUid):member
 Distinguished name attribute (dn):
Search Base (dc=ambari,dc=apache,dc=org): cn=accounts,dc=hortonworks,dc=site
Referral method [follow/ignore] (follow):
Bind anonymously [true/false] (false):
Bind DN (uid=ldapbind,cn=users,cn=accounts,dc=ambari,dc=apache,dc=org): uid=ldapbind,cn=users,cn=accounts,dc=hortonworks,dc=site
Enter Bind DN Password:
Confirm Bind DN Password:
Handling behavior for username collisions [convert/skip] for LDAP sync (skip):
Force lower-case user names [true/false]:
Results from LDAP are paginated when requested [true/false]:
Note
Note

In Ambari 2.7.1, the User Object Class and Group Object Class defaults of the IPA defaults must be overwritten.

Using non-interactive CLI:

ambari-server setup-ldap \
--ldap-url=ipa.hortonworks.site:636  \
--ldap-user-class=posixAccount \
--ldap-user-attr=uid \
--ldap-group-class=posixGroup \
--ldap-ssl=true \
--ldap-referral="follow" \
--ldap-group-attr=cn \
--ldap-member-attr=member \
--ldap-dn=dn \
--ldap-base-dn=cn=accounts,dc=hortonworks,dc=site \
--ldap-bind-anonym=false \
--ldap-manager-dn=uid=ldapbind,cn=users,cn=accounts,dc=hortonworks,dc=site \
--ldap-manager-password=BadPass#1 \
--ldap-save-settings \
--ldap-sync-username-collisions-behavior=convert  \
--ldap-force-setup \
--ldap-force-lowercase-usernames=true \
--ldap-pagination-enabled=false \
--ambari-admin-username=admin \
--ambari-admin-password=adminpassword \
--truststore-type=jks \
--truststore-path=/etc/pki/java/cacerts \
--truststore-password=changeit \
--ldap-secondary-host="" \
--ldap-secondary-port=0 \
--ldap-sync-disable-endpoint-identification=true
Note
Note

In Ambari 2.7.1, the ldap-type can must be passed in interactively.

The flag to disable endpoint identification is only available in Ambari 2.7.3 and greater versions.

Synchronize your LDAP users and groups.