FreeIPA LDAP setup example

If the users for whom you want to enable authentication into Ambari UI are stored in FreeIPA, you should configure Ambari to integrate directly against your IPA instance. Selecting IPA as an LDAP type helps the wizard configure some smarter defaults for the the attribute values that tend to work in most IPA instances.

Gather details about your FreeIPA instance from your IPA administrator (or use the Tips below) and provide them as input to the cli wizard. Be sure to provide your own searchbase, and verify the attribute settings before confirming.

To configure LDAP integration against IPA using the cli wizard:

Run ambari-server setup-ldap on the Ambari server host.

Provide the following information about your domain.

Prompt	Example value for IPA
Please select the type of LDAP you want to use :	IPA
Primary URL Host*	ipa.hortonworks.site
Primary URL Port	636
Secondary URL Host (optional)
Secondary URL Port (optional)
Use SSL*	true
Do you want to provide custom TrustStore for Ambari [y/n]	y
TrustStore type	jks
Path to TrustStore	/etc/pki/java/cacerts
Password for TrustStore	changeit
User object class	posixaccount
User name attribute*	uid
Group object class*	posixGroup
Group name attribute*	cn
Group member attribute*	member
Distinguished name attribute*	dn
Search Base	cn=accounts,dc=hortonworks,dc=site
Referral method*	follow
Bind anonymously*	true
Bind DN:	uid=ldapbind,cn=users,cn=accounts,dc=hortonworks,dc=site
Bind DN Password:
Handling behavior for username collisions:	convert
Force lower-case user names	true
Results from LDAP are paginated when requested	false

	Note
	The truststore configuration can leverage the IPA CA created during ipa-client installation at /etc/pki/cacerts/java. See Choosing options during ambari-server setup-ldap for more details.

Restart Ambari Server.

A restart is required before Ambari can leverage the custom truststore.

Verify your default settings.

FreeIPA Tips for determining LDAP Search Properties:

IPA Clients contain /etc/ipa/default.conf with various LDAP server properties:

[root@demo ~]# cat /etc/ipa/default.conf 
  basedn = dc=hortonworks,dc=site
  realm = HORTONWORKS.SITE
  domain = hortonworks.site
  server = ipa.hortonworks.site

Determining valid user attributes (posixaccount, uid, etc): ipa user-show hadoopadmin --raw --all
Determining valid group attributes (posixgroup, member, memberUid, etc): ipa group-show admins --raw --all

Verifying ldapbind account and search base using ldapsearch

[root@demo ~]# yum install -y openldap-clients 

# Test ldap bind properties
AM_LDAP_SEARCHBASE="cn=accounts,dc=hortonworks,dc=site"
AM_LDAP_BINDDN="uid=ldapbind,cn=users,cn=accounts,dc=hortonworks,dc=site"
AM_LDAP_BINDDN_PW="BadPass#1"
AM_LDAP_URL=ldaps://ipa.hortonworks.com:636

# Search for a valid uid and ensure the searchbase, bind dn, and ldapurl resolve properly
[root@demo ~]# ldapsearch -D ${AM_LDAP_BINDDN} \
-w ${AM_LDAP_BINDDN_PW} \
-b ${AM_LDAP_SEARCHBASE} \
-H ${AM_LDAP_URL} uid=hadoopadmin

# Tail results of a valid ldapsearch for a single uid:
numResponses: 2
numEntries: 1

Example configuring LDAP integration against IPA:

Using interactive CLI:

[root@demo certificates]# ambari-server setup-ldap
Currently 'no auth method' is configured, do you wish to use LDAP instead [y/n] (y)?
Please select the type of LDAP you want to use (AD, IPA, Generic LDAP):IPA
Primary LDAP Host (ipa.ambari.apache.org): ipa.hortonworks.com 
Primary LDAP Port (636):
Secondary LDAP Host <Optional>:
Secondary LDAP Port <Optional>:
Use SSL [true/false] (true):
Do you want to provide custom TrustStore for Ambari [y/n] (y)?
TrustStore type [jks/jceks/pkcs12] (jks):
Path to TrustStore file (/etc/pki/java/cacerts):
Password for TrustStore:
Re-enter password:
User object class (posixUser):posixaccount
User ID attribute (uid):
Group object class (posixGroup):
Group name attribute (cn):
Group member attribute (memberUid):member
 Distinguished name attribute (dn):
Search Base (dc=ambari,dc=apache,dc=org): cn=accounts,dc=hortonworks,dc=site
Referral method [follow/ignore] (follow):
Bind anonymously [true/false] (false):
Bind DN (uid=ldapbind,cn=users,cn=accounts,dc=ambari,dc=apache,dc=org): uid=ldapbind,cn=users,cn=accounts,dc=hortonworks,dc=site
Enter Bind DN Password:
Confirm Bind DN Password:
Handling behavior for username collisions [convert/skip] for LDAP sync (skip):
Force lower-case user names [true/false]:
Results from LDAP are paginated when requested [true/false]:

	Note
	In Ambari 2.7.1, the `User Object Class` and `Group Object Class` defaults of the IPA defaults must be overwritten.

Using non-interactive CLI:

ambari-server setup-ldap \
--ldap-url=ipa.hortonworks.site:636  \
--ldap-user-class=posixAccount \
--ldap-user-attr=uid \
--ldap-group-class=posixGroup \
--ldap-ssl=true \
--ldap-referral="follow" \
--ldap-group-attr=cn \
--ldap-member-attr=member \
--ldap-dn=dn \
--ldap-base-dn=cn=accounts,dc=hortonworks,dc=site \
--ldap-bind-anonym=false \
--ldap-manager-dn=uid=ldapbind,cn=users,cn=accounts,dc=hortonworks,dc=site \
--ldap-manager-password=BadPass#1 \
--ldap-save-settings \
--ldap-sync-username-collisions-behavior=convert  \
--ldap-force-setup \
--ldap-force-lowercase-usernames=true \
--ldap-pagination-enabled=false \
--ambari-admin-username=admin \
--ambari-admin-password=adminpassword \
--truststore-type=jks \
--truststore-path=/etc/pki/java/cacerts \
--truststore-password=changeit \
--ldap-secondary-host="" \
--ldap-secondary-port=0 \
--ldap-sync-disable-endpoint-identification=true

	Note
	In Ambari 2.7.1, the ldap-type can must be passed in interactively. The flag to disable endpoint identification is only available in Ambari 2.7.3 and greater versions.

Synchronize your LDAP users and groups.