You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ambari.apache.org by "Jarosław Czarniak (JIRA)" <ji...@apache.org> on 2015/02/13 10:41:11 UTC

[jira] [Created] (AMBARI-9617) sync-ldap doesn't check all returned atributes

Jarosław Czarniak created AMBARI-9617:
-----------------------------------------

             Summary: sync-ldap doesn't check all returned atributes
                 Key: AMBARI-9617
                 URL: https://issues.apache.org/jira/browse/AMBARI-9617
             Project: Ambari
          Issue Type: Bug
          Components: ambari-admin
    Affects Versions: 1.7.0
            Reporter: Jarosław Czarniak


When I tried to sync our AD accounts with ambari I notice that ambari search only for _authentication.ldap.usernameAttribute_ and _uid_ in answer. It's quite all right if standard answer contains this atributes.
Here is our AD question and answer from wireshark:
{noformat}
Filter: (&(objectClass=Person)(sAMAccountName=czarniak))
{noformat}
{noformat}
Lightweight Directory Access Protocol
LDAPMessage searchResEntry(2) "CN=Czarniak Jarosław,OU=Pracownicy,OU=wp-sa,DC=ad,DC=wp-sa,DC=pl" [1 result]
messageID: 2
protocolOp: searchResEntry (4)
searchResEntry
objectName: CN=Czarniak Jaros\357\277\275\357\277\275aw,OU=Pracownicy,OU=wp-sa,DC=ad,DC=wp-sa,DC=pl
attributes: 110 items
Response To: 7
Time: 0.021746000 seconds
{noformat}

As you can see answer is "CN=Czarniak Jarosław,OU=Pracownicy,OU=wp-sa,DC=ad,DC=wp-sa,DC=pl" and there are 110 atributes attachted. _sAMAccountName_ is one of them:
{noformat}
PartialAttributeList item sAMAccountName
type: sAMAccountName
vals: 1 item
AttributeValue: czarniak
{noformat}

As a result of ignoring attached atributes array, ambari skip that account (and any other account as well):
{noformat}
16:48:38,270  WARN [pool-1-thread-9] AmbariLdapDataPopulator:560 - Ignoring LDAP user cn=Czarniak Jarosław,ou=Pracownicy,ou=wp-sa,dc=ad,dc=wp-sa,dc=pl as it doesn't have required attributes uid and sAMAccountName
16:50:24,556  INFO [qtp214227661-23] PersistKeyValueService:82 - Looking for keyName CLUSTER_CURRENT_STATUS                                     
16:50:24,726  INFO [qtp214227661-22] PersistKeyValueService:82 - Looking for keyName CLUSTER_CURRENT_STATUS
{noformat}

I think ambari must scan all provided atributes not only first or make possible to create some type of filters...

My Ambari/ldap configuration:
{noformat}
====================
Review Settings
====================
authentication.ldap.primaryUrl: x.x.x.x:389
authentication.ldap.secondaryUrl: y.y.y.y:389
authentication.ldap.useSSL: false
authentication.ldap.userObjectClass: Person
authentication.ldap.usernameAttribute: sAMAccountName
authentication.ldap.groupObjectClass: posixGroup
authentication.ldap.groupNamingAttr: systemauth
authentication.ldap.groupMembershipAttr: memberUid
authentication.ldap.baseDn: OU=Pracownicy,OU=wp-sa,DC=ad,DC=wp-sa,DC=pl
authentication.ldap.bindAnonymously: false
authentication.ldap.managerDn: CN=XYZ,OU=Techniczne,OU=wp-sa,DC=ad,DC=wp-sa,DC=pl
authentication.ldap.managerPassword: *****
Save settings [y/n] (y)? y
Saving...done
{noformat}






--
This message was sent by Atlassian JIRA
(v6.3.4#6332)