You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@ambari.apache.org by Darpan Patel <da...@gmail.com> on 2015/12/17 18:19:00 UTC
Need help in Ambari - Active Directory Integration
Hi guys,
I am trying to integrate A/D 2012 Server with Ambari.
I have doubt that some of the properties are not correct.
I am tried various permutation combinations but not successful yet. Could
anyone review and help fixing it ?
*Active directory domain controller* name is : TEST.COM
On the console here are the values I am passing:
*$ambari-server setup-ldap*
Setting up LDAP properties...
*Primary URL* {host:port}* :IP_OF_AD_SERVER:389
*Use SSL* [true/false] *: false
*User object class** :person
*User name attribute** :sAMAccountName
*Group object class* :*User
*Group name attribute* : *User
*Group member attribute* :*member
*Distinguished name attribute* :*CN=Users,DC=test,DC=com
*Base DN* :*CN=Users,DC=test,DC=com
*Referral method [follow/ignore] :*ignore
*Bind anonymously* [*true/false] :true
====================
Review Settings
====================
Save settings [y/n] (y)?y
Saving...done
Ambari Server 'setup-ldap' completed successfully.
Regards,
DP
Re: Need help in Ambari - Active Directory Integration
Posted by Darpan Patel <da...@gmail.com>.
Hello Experts,
Still this issue persists!
Any idea guys, what's going wrong?
Regards,
DP
On 18 December 2015 at 12:12, Darpan Patel <da...@gmail.com> wrote:
> I thought that password could be wrong for the AD user but with the same
> ad user I am able to issue a TGT.
> i.e. for the user in ambari properties :
> authentication.ldap.managerDn=CN=Darpan Patel,CN=users,DC=test,DC=com
> I am able go get a ticket : kinit darpan@TEST.COM.
> I am not sure what setting is not correct !!!
>
> About Ambari version : 2.1.2
>
> Thanks,
> DP
>
> On 18 December 2015 at 11:31, Robert Levas <rl...@hortonworks.com> wrote:
>
>> Hey Darpan….
>>
>> The error "LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9,
>> comment: AcceptSecurityContext error, data 52e, v1db1” Indicates that the
>> password you are entering for the account is incorrect. See
>> http://www-01.ibm.com/support/docview.wss?uid=swg21290631 – under
>> “Common Active Directory LDAP bind errors” it reads:
>>
>> 80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error,
>> data 52e, v893
>> HEX: 0x52e - invalid credentials
>> DEC: 1326 - ERROR_LOGON_FAILURE (Logon failure: unknown user name or bad
>> password.)
>> NOTE: Returns when username is valid but password/credential is invalid.
>> Will prevent most other errors from being displayed as noted.
>>
>> As for your issue with no longer being allow to log in using local user
>> accounts, what version of Ambari are you using?
>>
>> Rob
>>
>>
>>
>> From: Darpan Patel <da...@gmail.com>
>> Reply-To: "user@ambari.apache.org" <us...@ambari.apache.org>
>> Date: Friday, December 18, 2015 at 5:39 AM
>>
>> To: "user@ambari.apache.org" <us...@ambari.apache.org>
>> Subject: Re: Need help in Ambari - Active Directory Integration
>>
>> Hi Folks,
>>
>> While trying to setup A/D for Ambari, I am not able to login to Ambari
>> console also using default admin/admin. Neither able to synch fully.
>>
>> My Active Directory domain is : TEST.COM and one of the valid users in
>> that is Darpan Patel (principal : darpan@TEST.COM). Here are the list of
>> properties from /etc/ambari-server/conf/ambari.properties
>>
>> With the following properties still I am not able to synch the users.
>>
>> api.authenticate=true
>> authentication.ldap.baseDn=CN=Users,DC=test,DC=com
>> authentication.ldap.bindAnonymously=false
>> authentication.ldap.dnAttribute=CN=Users,DC=test,DC=com
>> authentication.ldap.groupMembershipAttr=uid
>> authentication.ldap.groupNamingAttr=cn
>> authentication.ldap.groupObjectClass=group
>> authentication.ldap.managerDn=CN=Darpan Patel,CN=users,DC=test,DC=com
>>
>> authentication.ldap.managerPassword=/etc/ambari-server/conf/ldap-password.dat
>> authentication.ldap.primaryUrl=IP_OF_AD_MACHINE:389
>> authentication.ldap.referral=ignore
>> authentication.ldap.secondaryUrl=IP_OF_AD_MACHINE:389
>> authentication.ldap.useSSL=false
>> authentication.ldap.userObjectClass=person
>> authentication.ldap.usernameAttribute=sAMAccountName
>>
>> Here is the list of sequence what I am trying to do :
>>
>> 1) $ ambari-server setup-ldap
>> 2) Enter the above properties
>> 3) Restart the ambari server
>> 4) $ambari-server sync-ldap --all
>> 5) Enter admin id/password (i.e. default Ambari Admin userid :
>> admin/admin) also tried with darpan, darpan@TEST.COM
>> 6) In all the cases I see :
>> Syncing all.ERROR: Exiting with exit code 1.
>> *REASON: Sync event creation failed. Error details: HTTP Error 403:
>> [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment:
>> AcceptSecurityContext error, data 52e, v1db1]; nested exception is
>> javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308:
>> LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e,
>> v1db1]*
>> 7) Log shows :
>>
>> 18 Dec 2015 10:27:34,899 WARN [qtp-client-26]
>> AmbariLdapAuthenticationProvider:71 - Looks like LDAP manager credentials
>> (that are used for connecting to LDAP server) are invalid.
>> org.springframework.security.authentication.InternalAuthenticationServiceException:
>> [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment:
>> AcceptSecurityContext error, data 52e, v1db1]; nested exception is
>> javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308:
>> LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e,
>> v1db1]
>>
>> --------------
>> Interesting thing is :* I am no longer to login to Ambari using
>> admin/admin user*. On the ambari portal : when I use admin/admin it says
>> invalid credentials. So I tried resetting the password to default by
>> changing in the ambari.users db (update ambari.users set
>> user_password='538916f8943ec225d97a9a86a2c6ec0818c1cd400e09e03b660fdaaec4af29ddbb6f2b1033b81b00'
>> where user_name='admin')
>>
>> To my curiosity when I see the ambari.users table few of the A/D users
>> are present in the table. for example :
>>
>>
>> ambari=> select * from ambari.users;
>> user_id | principal_id | ldap_user | user_name | create_time
>> | active |
>>
>> --------+--------------+-----------+---------------+----------------------------+------
>> 12 | 4 | 1 | pratlu | 2015-12-17
>> 17:49:05.699 |1 |
>> 3 | 6 | 1 | darpan | 2015-12-17
>> 17:49:05.699 |1 |
>> 13 | 3 | 1 | administrator | 2015-12-17
>> 17:49:05.699 |1 |
>> 4 | 5 | 1 | test | 2015-12-17
>> 17:49:05.699 |1 |
>> 14 | 11 | 1 | sanjay.sharma | 2015-12-17
>> 17:49:05.699 |1 |
>> 8 | 7 | 1 | guest | 2015-12-17
>> 17:49:05.699 |1 |
>> 10 | 14 | 1 | hadoop.com$ | 2015-12-17
>> 17:49:05.699 |1 |
>> 9 | 10 | 1 | devuser | 2015-12-17
>> 17:49:05.699 |1 |
>> 11 | 12 | 1 | dgotl | 2015-12-17
>> 17:49:05.699 |1 |
>> 7 | 9 | 1 | krbtgt | 2015-12-17
>> 17:49:05.699 |1 |
>> 1 | 1 | 1 | admin | 2015-11-09
>> 23:47:08.368558 |1 |
>>
>> I also tried logging in to ambari web console using darpan,
>> darpan@TEST.COM, admin/admin but it does not work!!
>>
>> Did any one face similar issue ? Or can anyone suggest work around?
>>
>> Regards,
>> Arpan
>>
>> On 17 December 2015 at 23:25, Darpan Patel <da...@gmail.com> wrote:
>>
>>> Thanks Robert for the quick reply.
>>>
>>> I am copying the DN from Active directory : CN=Darpan
>>> Patel,CN=Users,DC=test,DC=com and keeping the same while configuring the
>>> Ambari LDAP setting. i.e. Manager DN*: CN=Darpan
>>> Patel,CN=Users,DC=test,DC=com
>>>
>>> But the error is still the same : Syncing all.ERROR: Exiting with exit
>>> code 1.
>>> REASON: Sync event creation failed. Error details: HTTP Error 403: Bad
>>> credentials
>>>
>>>
>>> On 17 December 2015 at 21:51, Robert Levas <rl...@hortonworks.com>
>>> wrote:
>>>
>>>> Darpan…
>>>>
>>>> The Manger DN request is expecting a distinguished name value, not a
>>>> principal name. A distinguished name would look something like
>>>> *CN=darpan,CN=Users,DC=test,DC=com*, which may reference the same
>>>> account as darpan@TEST.COM (which would be the userPrincipalName) or
>>>> darpan (which would be be sAMAccountName).
>>>>
>>>> Rob
>>>>
>>>>
>>>> From: Darpan Patel <da...@gmail.com>
>>>> Reply-To: "user@ambari.apache.org" <us...@ambari.apache.org>
>>>> Date: Thursday, December 17, 2015 at 4:35 PM
>>>>
>>>> To: "user@ambari.apache.org" <us...@ambari.apache.org>
>>>> Subject: Re: Need help in Ambari - Active Directory Integration
>>>>
>>>> Many Thanks Robert.
>>>>
>>>> I made the corresponding changes and specifying bind anonymously to
>>>> false. Thanks the old issue is gone now. But still I am facing strange
>>>> issue. I am giving the Manager DN = darpan@TEST.COM and trying to
>>>> synch all the users of AD but on the console I see :
>>>>
>>>> *Syncing all.ERROR: Exiting with exit code 1.*
>>>> *REASON: Sync event creation failed. Error details: HTTP Error 403: Bad
>>>> credentials*
>>>>
>>>> *(It is kind of strange because I just issued the valid TGT using kinit
>>>> darpan@TEST.COM <da...@TEST.COM> without any issues!!!!)*
>>>>
>>>> There is only one line the logs:
>>>> 17 Dec 2015 21:24:07,682 INFO [qtp-client-23]
>>>> FilterBasedLdapUserSearch:89 - SearchBase not set. Searches will be
>>>> performed from the root: cn=Users,dc=test,dc=com
>>>>
>>>> Regards,
>>>> DP
>>>>
>>>>
>>>> On 17 December 2015 at 17:55, Robert Levas <rl...@hortonworks.com>
>>>> wrote:
>>>>
>>>>> However, I don’t think that these changes will help with the
>>>>> authentication/bind issue. For that, when asked to bind anonymously, you
>>>>> should answer *false* and then set the Manager DN value to the DN of
>>>>> a user with read access to the specified container in your Active
>>>>> Directory.
>>>>>
>>>>> I hope this helps,
>>>>>
>>>>> Rob
>>>>>
>>>>>
>>>>> From: Darpan Patel <da...@gmail.com>
>>>>> Reply-To: "user@ambari.apache.org" <us...@ambari.apache.org>
>>>>> Date: Thursday, December 17, 2015 at 12:20 PM
>>>>> To: "user@ambari.apache.org" <us...@ambari.apache.org>
>>>>> Subject: Re: Need help in Ambari - Active Directory Integration
>>>>>
>>>>> Forgot to mention that logs show Naming Exception.
>>>>> [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C0906E8, comment: In
>>>>> order to perform this operation a successful bind must be completed on the
>>>>> connection., data 0, v1db1]; remaining name 'CN=Users,DC=test,DC=com'
>>>>>
>>>>> 17 Dec 2015 16:36:08,801 FATAL [pool-7-thread-1]
>>>>> AbstractRequestControlDirContextProcessor:186 - No matching response
>>>>> control found for paged results - looking for 'class
>>>>> javax.naming.ldap.PagedResultsResponseControl
>>>>> 17 Dec 2015 16:36:08,802 ERROR [pool-7-thread-1]
>>>>> LdapSyncEventResourceProvider:434 - Caught exception running LDAP sync.
>>>>> *org.springframework.ldap.UncategorizedLdapException: Uncategorized
>>>>> exception occured during LDAP processing; nested exception is
>>>>> javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr:
>>>>> DSID-0C0906E8, comment: In order to perform this operation a successful
>>>>> bind must be completed on the connection., data 0, v1db1]; remaining name
>>>>> 'CN=Users,DC=test,DC=com'*
>>>>> at
>>>>> org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:217)
>>>>> at
>>>>> org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:319)
>>>>> at
>>>>> org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:259)
>>>>> at
>>>>> org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:606)
>>>>> at
>>>>> org.apache.ambari.server.security.ldap.AmbariLdapDataPopulator.getFilteredLdapUsers(AmbariLdapDataPopulator.java:549)
>>>>>
>>>>>
>>>>> On 17 December 2015 at 17:19, Darpan Patel <da...@gmail.com> wrote:
>>>>>
>>>>>> Hi guys,
>>>>>>
>>>>>> I am trying to integrate A/D 2012 Server with Ambari.
>>>>>> I have doubt that some of the properties are not correct.
>>>>>> I am tried various permutation combinations but not successful yet.
>>>>>> Could anyone review and help fixing it ?
>>>>>>
>>>>>> *Active directory domain controller* name is : TEST.COM
>>>>>>
>>>>>> On the console here are the values I am passing:
>>>>>> *$ambari-server setup-ldap*
>>>>>>
>>>>>> Setting up LDAP properties...
>>>>>> *Primary URL* {host:port}* :IP_OF_AD_SERVER:389
>>>>>> *Use SSL* [true/false] *: false
>>>>>> *User object class** :person
>>>>>> *User name attribute** :sAMAccountName
>>>>>> *Group object class* :*User
>>>>>> *Group name attribute* : *User
>>>>>> *Group member attribute* :*member
>>>>>> *Distinguished name attribute* :*CN=Users,DC=test,DC=com
>>>>>> *Base DN* :*CN=Users,DC=test,DC=com
>>>>>> *Referral method [follow/ignore] :*ignore
>>>>>> *Bind anonymously* [*true/false] :true
>>>>>>
>>>>>> ====================
>>>>>> Review Settings
>>>>>> ====================
>>>>>> Save settings [y/n] (y)?y
>>>>>> Saving...done
>>>>>> Ambari Server 'setup-ldap' completed successfully.
>>>>>>
>>>>>>
>>>>>> Regards,
>>>>>> DP
>>>>>>
>>>>>
>>>>>
>>>>
>>>
>>
>
Re: Need help in Ambari - Active Directory Integration
Posted by Darpan Patel <da...@gmail.com>.
I thought that password could be wrong for the AD user but with the same ad
user I am able to issue a TGT.
i.e. for the user in ambari properties :
authentication.ldap.managerDn=CN=Darpan Patel,CN=users,DC=test,DC=com
I am able go get a ticket : kinit darpan@TEST.COM.
I am not sure what setting is not correct !!!
About Ambari version : 2.1.2
Thanks,
DP
On 18 December 2015 at 11:31, Robert Levas <rl...@hortonworks.com> wrote:
> Hey Darpan….
>
> The error "LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9,
> comment: AcceptSecurityContext error, data 52e, v1db1” Indicates that the
> password you are entering for the account is incorrect. See
> http://www-01.ibm.com/support/docview.wss?uid=swg21290631 – under “Common
> Active Directory LDAP bind errors” it reads:
>
> 80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error,
> data 52e, v893
> HEX: 0x52e - invalid credentials
> DEC: 1326 - ERROR_LOGON_FAILURE (Logon failure: unknown user name or bad
> password.)
> NOTE: Returns when username is valid but password/credential is invalid.
> Will prevent most other errors from being displayed as noted.
>
> As for your issue with no longer being allow to log in using local user
> accounts, what version of Ambari are you using?
>
> Rob
>
>
>
> From: Darpan Patel <da...@gmail.com>
> Reply-To: "user@ambari.apache.org" <us...@ambari.apache.org>
> Date: Friday, December 18, 2015 at 5:39 AM
>
> To: "user@ambari.apache.org" <us...@ambari.apache.org>
> Subject: Re: Need help in Ambari - Active Directory Integration
>
> Hi Folks,
>
> While trying to setup A/D for Ambari, I am not able to login to Ambari
> console also using default admin/admin. Neither able to synch fully.
>
> My Active Directory domain is : TEST.COM and one of the valid users in
> that is Darpan Patel (principal : darpan@TEST.COM). Here are the list of
> properties from /etc/ambari-server/conf/ambari.properties
>
> With the following properties still I am not able to synch the users.
>
> api.authenticate=true
> authentication.ldap.baseDn=CN=Users,DC=test,DC=com
> authentication.ldap.bindAnonymously=false
> authentication.ldap.dnAttribute=CN=Users,DC=test,DC=com
> authentication.ldap.groupMembershipAttr=uid
> authentication.ldap.groupNamingAttr=cn
> authentication.ldap.groupObjectClass=group
> authentication.ldap.managerDn=CN=Darpan Patel,CN=users,DC=test,DC=com
>
> authentication.ldap.managerPassword=/etc/ambari-server/conf/ldap-password.dat
> authentication.ldap.primaryUrl=IP_OF_AD_MACHINE:389
> authentication.ldap.referral=ignore
> authentication.ldap.secondaryUrl=IP_OF_AD_MACHINE:389
> authentication.ldap.useSSL=false
> authentication.ldap.userObjectClass=person
> authentication.ldap.usernameAttribute=sAMAccountName
>
> Here is the list of sequence what I am trying to do :
>
> 1) $ ambari-server setup-ldap
> 2) Enter the above properties
> 3) Restart the ambari server
> 4) $ambari-server sync-ldap --all
> 5) Enter admin id/password (i.e. default Ambari Admin userid :
> admin/admin) also tried with darpan, darpan@TEST.COM
> 6) In all the cases I see :
> Syncing all.ERROR: Exiting with exit code 1.
> *REASON: Sync event creation failed. Error details: HTTP Error 403: [LDAP:
> error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment:
> AcceptSecurityContext error, data 52e, v1db1]; nested exception is
> javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308:
> LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e,
> v1db1]*
> 7) Log shows :
>
> 18 Dec 2015 10:27:34,899 WARN [qtp-client-26]
> AmbariLdapAuthenticationProvider:71 - Looks like LDAP manager credentials
> (that are used for connecting to LDAP server) are invalid.
> org.springframework.security.authentication.InternalAuthenticationServiceException:
> [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment:
> AcceptSecurityContext error, data 52e, v1db1]; nested exception is
> javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308:
> LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e,
> v1db1]
>
> --------------
> Interesting thing is :* I am no longer to login to Ambari using
> admin/admin user*. On the ambari portal : when I use admin/admin it says
> invalid credentials. So I tried resetting the password to default by
> changing in the ambari.users db (update ambari.users set
> user_password='538916f8943ec225d97a9a86a2c6ec0818c1cd400e09e03b660fdaaec4af29ddbb6f2b1033b81b00'
> where user_name='admin')
>
> To my curiosity when I see the ambari.users table few of the A/D users are
> present in the table. for example :
>
>
> ambari=> select * from ambari.users;
> user_id | principal_id | ldap_user | user_name | create_time
> | active |
>
> --------+--------------+-----------+---------------+----------------------------+------
> 12 | 4 | 1 | pratlu | 2015-12-17
> 17:49:05.699 |1 |
> 3 | 6 | 1 | darpan | 2015-12-17
> 17:49:05.699 |1 |
> 13 | 3 | 1 | administrator | 2015-12-17
> 17:49:05.699 |1 |
> 4 | 5 | 1 | test | 2015-12-17
> 17:49:05.699 |1 |
> 14 | 11 | 1 | sanjay.sharma | 2015-12-17
> 17:49:05.699 |1 |
> 8 | 7 | 1 | guest | 2015-12-17
> 17:49:05.699 |1 |
> 10 | 14 | 1 | hadoop.com$ | 2015-12-17
> 17:49:05.699 |1 |
> 9 | 10 | 1 | devuser | 2015-12-17
> 17:49:05.699 |1 |
> 11 | 12 | 1 | dgotl | 2015-12-17
> 17:49:05.699 |1 |
> 7 | 9 | 1 | krbtgt | 2015-12-17
> 17:49:05.699 |1 |
> 1 | 1 | 1 | admin | 2015-11-09
> 23:47:08.368558 |1 |
>
> I also tried logging in to ambari web console using darpan,
> darpan@TEST.COM, admin/admin but it does not work!!
>
> Did any one face similar issue ? Or can anyone suggest work around?
>
> Regards,
> Arpan
>
> On 17 December 2015 at 23:25, Darpan Patel <da...@gmail.com> wrote:
>
>> Thanks Robert for the quick reply.
>>
>> I am copying the DN from Active directory : CN=Darpan
>> Patel,CN=Users,DC=test,DC=com and keeping the same while configuring the
>> Ambari LDAP setting. i.e. Manager DN*: CN=Darpan
>> Patel,CN=Users,DC=test,DC=com
>>
>> But the error is still the same : Syncing all.ERROR: Exiting with exit
>> code 1.
>> REASON: Sync event creation failed. Error details: HTTP Error 403: Bad
>> credentials
>>
>>
>> On 17 December 2015 at 21:51, Robert Levas <rl...@hortonworks.com>
>> wrote:
>>
>>> Darpan…
>>>
>>> The Manger DN request is expecting a distinguished name value, not a
>>> principal name. A distinguished name would look something like
>>> *CN=darpan,CN=Users,DC=test,DC=com*, which may reference the same
>>> account as darpan@TEST.COM (which would be the userPrincipalName) or
>>> darpan (which would be be sAMAccountName).
>>>
>>> Rob
>>>
>>>
>>> From: Darpan Patel <da...@gmail.com>
>>> Reply-To: "user@ambari.apache.org" <us...@ambari.apache.org>
>>> Date: Thursday, December 17, 2015 at 4:35 PM
>>>
>>> To: "user@ambari.apache.org" <us...@ambari.apache.org>
>>> Subject: Re: Need help in Ambari - Active Directory Integration
>>>
>>> Many Thanks Robert.
>>>
>>> I made the corresponding changes and specifying bind anonymously to
>>> false. Thanks the old issue is gone now. But still I am facing strange
>>> issue. I am giving the Manager DN = darpan@TEST.COM and trying to synch
>>> all the users of AD but on the console I see :
>>>
>>> *Syncing all.ERROR: Exiting with exit code 1.*
>>> *REASON: Sync event creation failed. Error details: HTTP Error 403: Bad
>>> credentials*
>>>
>>> *(It is kind of strange because I just issued the valid TGT using kinit
>>> darpan@TEST.COM <da...@TEST.COM> without any issues!!!!)*
>>>
>>> There is only one line the logs:
>>> 17 Dec 2015 21:24:07,682 INFO [qtp-client-23]
>>> FilterBasedLdapUserSearch:89 - SearchBase not set. Searches will be
>>> performed from the root: cn=Users,dc=test,dc=com
>>>
>>> Regards,
>>> DP
>>>
>>>
>>> On 17 December 2015 at 17:55, Robert Levas <rl...@hortonworks.com>
>>> wrote:
>>>
>>>> However, I don’t think that these changes will help with the
>>>> authentication/bind issue. For that, when asked to bind anonymously, you
>>>> should answer *false* and then set the Manager DN value to the DN of a
>>>> user with read access to the specified container in your Active Directory.
>>>>
>>>> I hope this helps,
>>>>
>>>> Rob
>>>>
>>>>
>>>> From: Darpan Patel <da...@gmail.com>
>>>> Reply-To: "user@ambari.apache.org" <us...@ambari.apache.org>
>>>> Date: Thursday, December 17, 2015 at 12:20 PM
>>>> To: "user@ambari.apache.org" <us...@ambari.apache.org>
>>>> Subject: Re: Need help in Ambari - Active Directory Integration
>>>>
>>>> Forgot to mention that logs show Naming Exception.
>>>> [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C0906E8, comment: In
>>>> order to perform this operation a successful bind must be completed on the
>>>> connection., data 0, v1db1]; remaining name 'CN=Users,DC=test,DC=com'
>>>>
>>>> 17 Dec 2015 16:36:08,801 FATAL [pool-7-thread-1]
>>>> AbstractRequestControlDirContextProcessor:186 - No matching response
>>>> control found for paged results - looking for 'class
>>>> javax.naming.ldap.PagedResultsResponseControl
>>>> 17 Dec 2015 16:36:08,802 ERROR [pool-7-thread-1]
>>>> LdapSyncEventResourceProvider:434 - Caught exception running LDAP sync.
>>>> *org.springframework.ldap.UncategorizedLdapException: Uncategorized
>>>> exception occured during LDAP processing; nested exception is
>>>> javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr:
>>>> DSID-0C0906E8, comment: In order to perform this operation a successful
>>>> bind must be completed on the connection., data 0, v1db1]; remaining name
>>>> 'CN=Users,DC=test,DC=com'*
>>>> at
>>>> org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:217)
>>>> at
>>>> org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:319)
>>>> at
>>>> org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:259)
>>>> at
>>>> org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:606)
>>>> at
>>>> org.apache.ambari.server.security.ldap.AmbariLdapDataPopulator.getFilteredLdapUsers(AmbariLdapDataPopulator.java:549)
>>>>
>>>>
>>>> On 17 December 2015 at 17:19, Darpan Patel <da...@gmail.com> wrote:
>>>>
>>>>> Hi guys,
>>>>>
>>>>> I am trying to integrate A/D 2012 Server with Ambari.
>>>>> I have doubt that some of the properties are not correct.
>>>>> I am tried various permutation combinations but not successful yet.
>>>>> Could anyone review and help fixing it ?
>>>>>
>>>>> *Active directory domain controller* name is : TEST.COM
>>>>>
>>>>> On the console here are the values I am passing:
>>>>> *$ambari-server setup-ldap*
>>>>>
>>>>> Setting up LDAP properties...
>>>>> *Primary URL* {host:port}* :IP_OF_AD_SERVER:389
>>>>> *Use SSL* [true/false] *: false
>>>>> *User object class** :person
>>>>> *User name attribute** :sAMAccountName
>>>>> *Group object class* :*User
>>>>> *Group name attribute* : *User
>>>>> *Group member attribute* :*member
>>>>> *Distinguished name attribute* :*CN=Users,DC=test,DC=com
>>>>> *Base DN* :*CN=Users,DC=test,DC=com
>>>>> *Referral method [follow/ignore] :*ignore
>>>>> *Bind anonymously* [*true/false] :true
>>>>>
>>>>> ====================
>>>>> Review Settings
>>>>> ====================
>>>>> Save settings [y/n] (y)?y
>>>>> Saving...done
>>>>> Ambari Server 'setup-ldap' completed successfully.
>>>>>
>>>>>
>>>>> Regards,
>>>>> DP
>>>>>
>>>>
>>>>
>>>
>>
>
Re: Need help in Ambari - Active Directory Integration
Posted by Robert Levas <rl...@hortonworks.com>.
Hey Darpan….
The error "LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1” Indicates that the password you are entering for the account is incorrect. See http://www-01.ibm.com/support/docview.wss?uid=swg21290631 – under “Common Active Directory LDAP bind errors” it reads:
80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 52e, v893
HEX: 0x52e - invalid credentials
DEC: 1326 - ERROR_LOGON_FAILURE (Logon failure: unknown user name or bad password.)
NOTE: Returns when username is valid but password/credential is invalid. Will prevent most other errors from being displayed as noted.
As for your issue with no longer being allow to log in using local user accounts, what version of Ambari are you using?
Rob
From: Darpan Patel <da...@gmail.com>>
Reply-To: "user@ambari.apache.org<ma...@ambari.apache.org>" <us...@ambari.apache.org>>
Date: Friday, December 18, 2015 at 5:39 AM
To: "user@ambari.apache.org<ma...@ambari.apache.org>" <us...@ambari.apache.org>>
Subject: Re: Need help in Ambari - Active Directory Integration
Hi Folks,
While trying to setup A/D for Ambari, I am not able to login to Ambari console also using default admin/admin. Neither able to synch fully.
My Active Directory domain is : TEST.COM<http://TEST.COM> and one of the valid users in that is Darpan Patel (principal : darpan@TEST.COM<ma...@TEST.COM>). Here are the list of properties from /etc/ambari-server/conf/ambari.properties
With the following properties still I am not able to synch the users.
api.authenticate=true
authentication.ldap.baseDn=CN=Users,DC=test,DC=com
authentication.ldap.bindAnonymously=false
authentication.ldap.dnAttribute=CN=Users,DC=test,DC=com
authentication.ldap.groupMembershipAttr=uid
authentication.ldap.groupNamingAttr=cn
authentication.ldap.groupObjectClass=group
authentication.ldap.managerDn=CN=Darpan Patel,CN=users,DC=test,DC=com
authentication.ldap.managerPassword=/etc/ambari-server/conf/ldap-password.dat
authentication.ldap.primaryUrl=IP_OF_AD_MACHINE:389
authentication.ldap.referral=ignore
authentication.ldap.secondaryUrl=IP_OF_AD_MACHINE:389
authentication.ldap.useSSL=false
authentication.ldap.userObjectClass=person
authentication.ldap.usernameAttribute=sAMAccountName
Here is the list of sequence what I am trying to do :
1) $ ambari-server setup-ldap
2) Enter the above properties
3) Restart the ambari server
4) $ambari-server sync-ldap --all
5) Enter admin id/password (i.e. default Ambari Admin userid : admin/admin) also tried with darpan, darpan@TEST.COM<ma...@TEST.COM>
6) In all the cases I see :
Syncing all.ERROR: Exiting with exit code 1.
REASON: Sync event creation failed. Error details: HTTP Error 403: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1]
7) Log shows :
18 Dec 2015 10:27:34,899 WARN [qtp-client-26] AmbariLdapAuthenticationProvider:71 - Looks like LDAP manager credentials (that are used for connecting to LDAP server) are invalid.
org.springframework.security.authentication.InternalAuthenticationServiceException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1]
--------------
Interesting thing is : I am no longer to login to Ambari using admin/admin user. On the ambari portal : when I use admin/admin it says invalid credentials. So I tried resetting the password to default by changing in the ambari.users db (update ambari.users set user_password='538916f8943ec225d97a9a86a2c6ec0818c1cd400e09e03b660fdaaec4af29ddbb6f2b1033b81b00' where user_name='admin')
To my curiosity when I see the ambari.users table few of the A/D users are present in the table. for example :
ambari=> select * from ambari.users;
user_id | principal_id | ldap_user | user_name | create_time | active |
--------+--------------+-----------+---------------+----------------------------+------
12 | 4 | 1 | pratlu | 2015-12-17 17:49:05.699 |1 |
3 | 6 | 1 | darpan | 2015-12-17 17:49:05.699 |1 |
13 | 3 | 1 | administrator | 2015-12-17 17:49:05.699 |1 |
4 | 5 | 1 | test | 2015-12-17 17:49:05.699 |1 |
14 | 11 | 1 | sanjay.sharma | 2015-12-17 17:49:05.699 |1 |
8 | 7 | 1 | guest | 2015-12-17 17:49:05.699 |1 |
10 | 14 | 1 | hadoop.com<http://hadoop.com>$ | 2015-12-17 17:49:05.699 |1 |
9 | 10 | 1 | devuser | 2015-12-17 17:49:05.699 |1 |
11 | 12 | 1 | dgotl | 2015-12-17 17:49:05.699 |1 |
7 | 9 | 1 | krbtgt | 2015-12-17 17:49:05.699 |1 |
1 | 1 | 1 | admin | 2015-11-09 23:47:08.368558 |1 |
I also tried logging in to ambari web console using darpan, darpan@TEST.COM<ma...@TEST.COM>, admin/admin but it does not work!!
Did any one face similar issue ? Or can anyone suggest work around?
Regards,
Arpan
On 17 December 2015 at 23:25, Darpan Patel <da...@gmail.com>> wrote:
Thanks Robert for the quick reply.
I am copying the DN from Active directory : CN=Darpan Patel,CN=Users,DC=test,DC=com and keeping the same while configuring the Ambari LDAP setting. i.e. Manager DN*: CN=Darpan Patel,CN=Users,DC=test,DC=com
But the error is still the same : Syncing all.ERROR: Exiting with exit code 1.
REASON: Sync event creation failed. Error details: HTTP Error 403: Bad credentials
On 17 December 2015 at 21:51, Robert Levas <rl...@hortonworks.com>> wrote:
Darpan…
The Manger DN request is expecting a distinguished name value, not a principal name. A distinguished name would look something like CN=darpan,CN=Users,DC=test,DC=com, which may reference the same account as darpan@TEST.COM<ma...@TEST.COM> (which would be the userPrincipalName) or darpan (which would be be sAMAccountName).
Rob
From: Darpan Patel <da...@gmail.com>>
Reply-To: "user@ambari.apache.org<ma...@ambari.apache.org>" <us...@ambari.apache.org>>
Date: Thursday, December 17, 2015 at 4:35 PM
To: "user@ambari.apache.org<ma...@ambari.apache.org>" <us...@ambari.apache.org>>
Subject: Re: Need help in Ambari - Active Directory Integration
Many Thanks Robert.
I made the corresponding changes and specifying bind anonymously to false. Thanks the old issue is gone now. But still I am facing strange issue. I am giving the Manager DN = darpan@TEST.COM<ma...@TEST.COM> and trying to synch all the users of AD but on the console I see :
Syncing all.ERROR: Exiting with exit code 1.
REASON: Sync event creation failed. Error details: HTTP Error 403: Bad credentials
(It is kind of strange because I just issued the valid TGT using kinit darpan@TEST.COM<ma...@TEST.COM> without any issues!!!!)
There is only one line the logs:
17 Dec 2015 21:24:07,682 INFO [qtp-client-23] FilterBasedLdapUserSearch:89 - SearchBase not set. Searches will be performed from the root: cn=Users,dc=test,dc=com
Regards,
DP
On 17 December 2015 at 17:55, Robert Levas <rl...@hortonworks.com>> wrote:
However, I don’t think that these changes will help with the authentication/bind issue. For that, when asked to bind anonymously, you should answer false and then set the Manager DN value to the DN of a user with read access to the specified container in your Active Directory.
I hope this helps,
Rob
From: Darpan Patel <da...@gmail.com>>
Reply-To: "user@ambari.apache.org<ma...@ambari.apache.org>" <us...@ambari.apache.org>>
Date: Thursday, December 17, 2015 at 12:20 PM
To: "user@ambari.apache.org<ma...@ambari.apache.org>" <us...@ambari.apache.org>>
Subject: Re: Need help in Ambari - Active Directory Integration
Forgot to mention that logs show Naming Exception.
[LDAP: error code 1 - 000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1]; remaining name 'CN=Users,DC=test,DC=com'
17 Dec 2015 16:36:08,801 FATAL [pool-7-thread-1] AbstractRequestControlDirContextProcessor:186 - No matching response control found for paged results - looking for 'class javax.naming.ldap.PagedResultsResponseControl
17 Dec 2015 16:36:08,802 ERROR [pool-7-thread-1] LdapSyncEventResourceProvider:434 - Caught exception running LDAP sync.
org.springframework.ldap.UncategorizedLdapException: Uncategorized exception occured during LDAP processing; nested exception is javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1]; remaining name 'CN=Users,DC=test,DC=com'
at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:217)
at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:319)
at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:259)
at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:606)
at org.apache.ambari.server.security.ldap.AmbariLdapDataPopulator.getFilteredLdapUsers(AmbariLdapDataPopulator.java:549)
On 17 December 2015 at 17:19, Darpan Patel <da...@gmail.com>> wrote:
Hi guys,
I am trying to integrate A/D 2012 Server with Ambari.
I have doubt that some of the properties are not correct.
I am tried various permutation combinations but not successful yet. Could anyone review and help fixing it ?
Active directory domain controller name is : TEST.COM<http://TEST.COM>
On the console here are the values I am passing:
$ambari-server setup-ldap
Setting up LDAP properties...
Primary URL* {host:port} :IP_OF_AD_SERVER:389
Use SSL* [true/false] : false
User object class* :person
User name attribute* :sAMAccountName
Group object class* :User
Group name attribute* : User
Group member attribute* :member
Distinguished name attribute* :CN=Users,DC=test,DC=com
Base DN* :CN=Users,DC=test,DC=com
Referral method [follow/ignore] :ignore
Bind anonymously* [true/false] :true
====================
Review Settings
====================
Save settings [y/n] (y)?y
Saving...done
Ambari Server 'setup-ldap' completed successfully.
Regards,
DP
Re: Need help in Ambari - Active Directory Integration
Posted by Darpan Patel <da...@gmail.com>.
Hi Folks,
While trying to setup A/D for Ambari, I am not able to login to Ambari
console also using default admin/admin. Neither able to synch fully.
My Active Directory domain is : TEST.COM and one of the valid users in that
is Darpan Patel (principal : darpan@TEST.COM). Here are the list of
properties from /etc/ambari-server/conf/ambari.properties
With the following properties still I am not able to synch the users.
api.authenticate=true
authentication.ldap.baseDn=CN=Users,DC=test,DC=com
authentication.ldap.bindAnonymously=false
authentication.ldap.dnAttribute=CN=Users,DC=test,DC=com
authentication.ldap.groupMembershipAttr=uid
authentication.ldap.groupNamingAttr=cn
authentication.ldap.groupObjectClass=group
authentication.ldap.managerDn=CN=Darpan Patel,CN=users,DC=test,DC=com
authentication.ldap.managerPassword=/etc/ambari-server/conf/ldap-password.dat
authentication.ldap.primaryUrl=IP_OF_AD_MACHINE:389
authentication.ldap.referral=ignore
authentication.ldap.secondaryUrl=IP_OF_AD_MACHINE:389
authentication.ldap.useSSL=false
authentication.ldap.userObjectClass=person
authentication.ldap.usernameAttribute=sAMAccountName
Here is the list of sequence what I am trying to do :
1) $ ambari-server setup-ldap
2) Enter the above properties
3) Restart the ambari server
4) $ambari-server sync-ldap --all
5) Enter admin id/password (i.e. default Ambari Admin userid : admin/admin)
also tried with darpan, darpan@TEST.COM
6) In all the cases I see :
Syncing all.ERROR: Exiting with exit code 1.
*REASON: Sync event creation failed. Error details: HTTP Error 403: [LDAP:
error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment:
AcceptSecurityContext error, data 52e, v1db1]; nested exception is
javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308:
LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e,
v1db1]*
7) Log shows :
18 Dec 2015 10:27:34,899 WARN [qtp-client-26]
AmbariLdapAuthenticationProvider:71 - Looks like LDAP manager credentials
(that are used for connecting to LDAP server) are invalid.
org.springframework.security.authentication.InternalAuthenticationServiceException:
[LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment:
AcceptSecurityContext error, data 52e, v1db1]; nested exception is
javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308:
LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e,
v1db1]
--------------
Interesting thing is :* I am no longer to login to Ambari using admin/admin
user*. On the ambari portal : when I use admin/admin it says invalid
credentials. So I tried resetting the password to default by changing in
the ambari.users db (update ambari.users set
user_password='538916f8943ec225d97a9a86a2c6ec0818c1cd400e09e03b660fdaaec4af29ddbb6f2b1033b81b00'
where user_name='admin')
To my curiosity when I see the ambari.users table few of the A/D users are
present in the table. for example :
ambari=> select * from ambari.users;
user_id | principal_id | ldap_user | user_name | create_time
| active |
--------+--------------+-----------+---------------+----------------------------+------
12 | 4 | 1 | pratlu | 2015-12-17
17:49:05.699 |1 |
3 | 6 | 1 | darpan | 2015-12-17
17:49:05.699 |1 |
13 | 3 | 1 | administrator | 2015-12-17
17:49:05.699 |1 |
4 | 5 | 1 | test | 2015-12-17
17:49:05.699 |1 |
14 | 11 | 1 | sanjay.sharma | 2015-12-17
17:49:05.699 |1 |
8 | 7 | 1 | guest | 2015-12-17
17:49:05.699 |1 |
10 | 14 | 1 | hadoop.com$ | 2015-12-17
17:49:05.699 |1 |
9 | 10 | 1 | devuser | 2015-12-17
17:49:05.699 |1 |
11 | 12 | 1 | dgotl | 2015-12-17
17:49:05.699 |1 |
7 | 9 | 1 | krbtgt | 2015-12-17
17:49:05.699 |1 |
1 | 1 | 1 | admin | 2015-11-09
23:47:08.368558 |1 |
I also tried logging in to ambari web console using darpan, darpan@TEST.COM,
admin/admin but it does not work!!
Did any one face similar issue ? Or can anyone suggest work around?
Regards,
Arpan
On 17 December 2015 at 23:25, Darpan Patel <da...@gmail.com> wrote:
> Thanks Robert for the quick reply.
>
> I am copying the DN from Active directory : CN=Darpan
> Patel,CN=Users,DC=test,DC=com and keeping the same while configuring the
> Ambari LDAP setting. i.e. Manager DN*: CN=Darpan
> Patel,CN=Users,DC=test,DC=com
>
> But the error is still the same : Syncing all.ERROR: Exiting with exit
> code 1.
> REASON: Sync event creation failed. Error details: HTTP Error 403: Bad
> credentials
>
>
> On 17 December 2015 at 21:51, Robert Levas <rl...@hortonworks.com> wrote:
>
>> Darpan…
>>
>> The Manger DN request is expecting a distinguished name value, not a
>> principal name. A distinguished name would look something like
>> *CN=darpan,CN=Users,DC=test,DC=com*, which may reference the same
>> account as darpan@TEST.COM (which would be the userPrincipalName) or
>> darpan (which would be be sAMAccountName).
>>
>> Rob
>>
>>
>> From: Darpan Patel <da...@gmail.com>
>> Reply-To: "user@ambari.apache.org" <us...@ambari.apache.org>
>> Date: Thursday, December 17, 2015 at 4:35 PM
>>
>> To: "user@ambari.apache.org" <us...@ambari.apache.org>
>> Subject: Re: Need help in Ambari - Active Directory Integration
>>
>> Many Thanks Robert.
>>
>> I made the corresponding changes and specifying bind anonymously to
>> false. Thanks the old issue is gone now. But still I am facing strange
>> issue. I am giving the Manager DN = darpan@TEST.COM and trying to synch
>> all the users of AD but on the console I see :
>>
>> *Syncing all.ERROR: Exiting with exit code 1.*
>> *REASON: Sync event creation failed. Error details: HTTP Error 403: Bad
>> credentials*
>>
>> *(It is kind of strange because I just issued the valid TGT using kinit
>> darpan@TEST.COM <da...@TEST.COM> without any issues!!!!)*
>>
>> There is only one line the logs:
>> 17 Dec 2015 21:24:07,682 INFO [qtp-client-23]
>> FilterBasedLdapUserSearch:89 - SearchBase not set. Searches will be
>> performed from the root: cn=Users,dc=test,dc=com
>>
>> Regards,
>> DP
>>
>>
>> On 17 December 2015 at 17:55, Robert Levas <rl...@hortonworks.com>
>> wrote:
>>
>>> However, I don’t think that these changes will help with the
>>> authentication/bind issue. For that, when asked to bind anonymously, you
>>> should answer *false* and then set the Manager DN value to the DN of a
>>> user with read access to the specified container in your Active Directory.
>>>
>>> I hope this helps,
>>>
>>> Rob
>>>
>>>
>>> From: Darpan Patel <da...@gmail.com>
>>> Reply-To: "user@ambari.apache.org" <us...@ambari.apache.org>
>>> Date: Thursday, December 17, 2015 at 12:20 PM
>>> To: "user@ambari.apache.org" <us...@ambari.apache.org>
>>> Subject: Re: Need help in Ambari - Active Directory Integration
>>>
>>> Forgot to mention that logs show Naming Exception.
>>> [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C0906E8, comment: In
>>> order to perform this operation a successful bind must be completed on the
>>> connection., data 0, v1db1]; remaining name 'CN=Users,DC=test,DC=com'
>>>
>>> 17 Dec 2015 16:36:08,801 FATAL [pool-7-thread-1]
>>> AbstractRequestControlDirContextProcessor:186 - No matching response
>>> control found for paged results - looking for 'class
>>> javax.naming.ldap.PagedResultsResponseControl
>>> 17 Dec 2015 16:36:08,802 ERROR [pool-7-thread-1]
>>> LdapSyncEventResourceProvider:434 - Caught exception running LDAP sync.
>>> *org.springframework.ldap.UncategorizedLdapException: Uncategorized
>>> exception occured during LDAP processing; nested exception is
>>> javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr:
>>> DSID-0C0906E8, comment: In order to perform this operation a successful
>>> bind must be completed on the connection., data 0, v1db1]; remaining name
>>> 'CN=Users,DC=test,DC=com'*
>>> at
>>> org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:217)
>>> at
>>> org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:319)
>>> at
>>> org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:259)
>>> at
>>> org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:606)
>>> at
>>> org.apache.ambari.server.security.ldap.AmbariLdapDataPopulator.getFilteredLdapUsers(AmbariLdapDataPopulator.java:549)
>>>
>>>
>>> On 17 December 2015 at 17:19, Darpan Patel <da...@gmail.com> wrote:
>>>
>>>> Hi guys,
>>>>
>>>> I am trying to integrate A/D 2012 Server with Ambari.
>>>> I have doubt that some of the properties are not correct.
>>>> I am tried various permutation combinations but not successful yet.
>>>> Could anyone review and help fixing it ?
>>>>
>>>> *Active directory domain controller* name is : TEST.COM
>>>>
>>>> On the console here are the values I am passing:
>>>> *$ambari-server setup-ldap*
>>>>
>>>> Setting up LDAP properties...
>>>> *Primary URL* {host:port}* :IP_OF_AD_SERVER:389
>>>> *Use SSL* [true/false] *: false
>>>> *User object class** :person
>>>> *User name attribute** :sAMAccountName
>>>> *Group object class* :*User
>>>> *Group name attribute* : *User
>>>> *Group member attribute* :*member
>>>> *Distinguished name attribute* :*CN=Users,DC=test,DC=com
>>>> *Base DN* :*CN=Users,DC=test,DC=com
>>>> *Referral method [follow/ignore] :*ignore
>>>> *Bind anonymously* [*true/false] :true
>>>>
>>>> ====================
>>>> Review Settings
>>>> ====================
>>>> Save settings [y/n] (y)?y
>>>> Saving...done
>>>> Ambari Server 'setup-ldap' completed successfully.
>>>>
>>>>
>>>> Regards,
>>>> DP
>>>>
>>>
>>>
>>
>
Re: Need help in Ambari - Active Directory Integration
Posted by Darpan Patel <da...@gmail.com>.
Thanks Robert for the quick reply.
I am copying the DN from Active directory : CN=Darpan
Patel,CN=Users,DC=test,DC=com and keeping the same while configuring the
Ambari LDAP setting. i.e. Manager DN*: CN=Darpan
Patel,CN=Users,DC=test,DC=com
But the error is still the same : Syncing all.ERROR: Exiting with exit code
1.
REASON: Sync event creation failed. Error details: HTTP Error 403: Bad
credentials
On 17 December 2015 at 21:51, Robert Levas <rl...@hortonworks.com> wrote:
> Darpan…
>
> The Manger DN request is expecting a distinguished name value, not a
> principal name. A distinguished name would look something like
> *CN=darpan,CN=Users,DC=test,DC=com*, which may reference the same account
> as darpan@TEST.COM (which would be the userPrincipalName) or darpan
> (which would be be sAMAccountName).
>
> Rob
>
>
> From: Darpan Patel <da...@gmail.com>
> Reply-To: "user@ambari.apache.org" <us...@ambari.apache.org>
> Date: Thursday, December 17, 2015 at 4:35 PM
>
> To: "user@ambari.apache.org" <us...@ambari.apache.org>
> Subject: Re: Need help in Ambari - Active Directory Integration
>
> Many Thanks Robert.
>
> I made the corresponding changes and specifying bind anonymously to
> false. Thanks the old issue is gone now. But still I am facing strange
> issue. I am giving the Manager DN = darpan@TEST.COM and trying to synch
> all the users of AD but on the console I see :
>
> *Syncing all.ERROR: Exiting with exit code 1.*
> *REASON: Sync event creation failed. Error details: HTTP Error 403: Bad
> credentials*
>
> *(It is kind of strange because I just issued the valid TGT using kinit
> darpan@TEST.COM <da...@TEST.COM> without any issues!!!!)*
>
> There is only one line the logs:
> 17 Dec 2015 21:24:07,682 INFO [qtp-client-23]
> FilterBasedLdapUserSearch:89 - SearchBase not set. Searches will be
> performed from the root: cn=Users,dc=test,dc=com
>
> Regards,
> DP
>
>
> On 17 December 2015 at 17:55, Robert Levas <rl...@hortonworks.com> wrote:
>
>> However, I don’t think that these changes will help with the
>> authentication/bind issue. For that, when asked to bind anonymously, you
>> should answer *false* and then set the Manager DN value to the DN of a
>> user with read access to the specified container in your Active Directory.
>>
>> I hope this helps,
>>
>> Rob
>>
>>
>> From: Darpan Patel <da...@gmail.com>
>> Reply-To: "user@ambari.apache.org" <us...@ambari.apache.org>
>> Date: Thursday, December 17, 2015 at 12:20 PM
>> To: "user@ambari.apache.org" <us...@ambari.apache.org>
>> Subject: Re: Need help in Ambari - Active Directory Integration
>>
>> Forgot to mention that logs show Naming Exception.
>> [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C0906E8, comment: In order
>> to perform this operation a successful bind must be completed on the
>> connection., data 0, v1db1]; remaining name 'CN=Users,DC=test,DC=com'
>>
>> 17 Dec 2015 16:36:08,801 FATAL [pool-7-thread-1]
>> AbstractRequestControlDirContextProcessor:186 - No matching response
>> control found for paged results - looking for 'class
>> javax.naming.ldap.PagedResultsResponseControl
>> 17 Dec 2015 16:36:08,802 ERROR [pool-7-thread-1]
>> LdapSyncEventResourceProvider:434 - Caught exception running LDAP sync.
>> *org.springframework.ldap.UncategorizedLdapException: Uncategorized
>> exception occured during LDAP processing; nested exception is
>> javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr:
>> DSID-0C0906E8, comment: In order to perform this operation a successful
>> bind must be completed on the connection., data 0, v1db1]; remaining name
>> 'CN=Users,DC=test,DC=com'*
>> at
>> org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:217)
>> at
>> org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:319)
>> at
>> org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:259)
>> at
>> org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:606)
>> at
>> org.apache.ambari.server.security.ldap.AmbariLdapDataPopulator.getFilteredLdapUsers(AmbariLdapDataPopulator.java:549)
>>
>>
>> On 17 December 2015 at 17:19, Darpan Patel <da...@gmail.com> wrote:
>>
>>> Hi guys,
>>>
>>> I am trying to integrate A/D 2012 Server with Ambari.
>>> I have doubt that some of the properties are not correct.
>>> I am tried various permutation combinations but not successful yet.
>>> Could anyone review and help fixing it ?
>>>
>>> *Active directory domain controller* name is : TEST.COM
>>>
>>> On the console here are the values I am passing:
>>> *$ambari-server setup-ldap*
>>>
>>> Setting up LDAP properties...
>>> *Primary URL* {host:port}* :IP_OF_AD_SERVER:389
>>> *Use SSL* [true/false] *: false
>>> *User object class** :person
>>> *User name attribute** :sAMAccountName
>>> *Group object class* :*User
>>> *Group name attribute* : *User
>>> *Group member attribute* :*member
>>> *Distinguished name attribute* :*CN=Users,DC=test,DC=com
>>> *Base DN* :*CN=Users,DC=test,DC=com
>>> *Referral method [follow/ignore] :*ignore
>>> *Bind anonymously* [*true/false] :true
>>>
>>> ====================
>>> Review Settings
>>> ====================
>>> Save settings [y/n] (y)?y
>>> Saving...done
>>> Ambari Server 'setup-ldap' completed successfully.
>>>
>>>
>>> Regards,
>>> DP
>>>
>>
>>
>
Re: Need help in Ambari - Active Directory Integration
Posted by Robert Levas <rl...@hortonworks.com>.
Darpan…
The Manger DN request is expecting a distinguished name value, not a principal name. A distinguished name would look something like CN=darpan,CN=Users,DC=test,DC=com, which may reference the same account as darpan@TEST.COM (which would be the userPrincipalName) or darpan (which would be be sAMAccountName).
Rob
From: Darpan Patel <da...@gmail.com>>
Reply-To: "user@ambari.apache.org<ma...@ambari.apache.org>" <us...@ambari.apache.org>>
Date: Thursday, December 17, 2015 at 4:35 PM
To: "user@ambari.apache.org<ma...@ambari.apache.org>" <us...@ambari.apache.org>>
Subject: Re: Need help in Ambari - Active Directory Integration
Many Thanks Robert.
I made the corresponding changes and specifying bind anonymously to false. Thanks the old issue is gone now. But still I am facing strange issue. I am giving the Manager DN = darpan@TEST.COM<ma...@TEST.COM> and trying to synch all the users of AD but on the console I see :
Syncing all.ERROR: Exiting with exit code 1.
REASON: Sync event creation failed. Error details: HTTP Error 403: Bad credentials
(It is kind of strange because I just issued the valid TGT using kinit darpan@TEST.COM<ma...@TEST.COM> without any issues!!!!)
There is only one line the logs:
17 Dec 2015 21:24:07,682 INFO [qtp-client-23] FilterBasedLdapUserSearch:89 - SearchBase not set. Searches will be performed from the root: cn=Users,dc=test,dc=com
Regards,
DP
On 17 December 2015 at 17:55, Robert Levas <rl...@hortonworks.com>> wrote:
However, I don’t think that these changes will help with the authentication/bind issue. For that, when asked to bind anonymously, you should answer false and then set the Manager DN value to the DN of a user with read access to the specified container in your Active Directory.
I hope this helps,
Rob
From: Darpan Patel <da...@gmail.com>>
Reply-To: "user@ambari.apache.org<ma...@ambari.apache.org>" <us...@ambari.apache.org>>
Date: Thursday, December 17, 2015 at 12:20 PM
To: "user@ambari.apache.org<ma...@ambari.apache.org>" <us...@ambari.apache.org>>
Subject: Re: Need help in Ambari - Active Directory Integration
Forgot to mention that logs show Naming Exception.
[LDAP: error code 1 - 000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1]; remaining name 'CN=Users,DC=test,DC=com'
17 Dec 2015 16:36:08,801 FATAL [pool-7-thread-1] AbstractRequestControlDirContextProcessor:186 - No matching response control found for paged results - looking for 'class javax.naming.ldap.PagedResultsResponseControl
17 Dec 2015 16:36:08,802 ERROR [pool-7-thread-1] LdapSyncEventResourceProvider:434 - Caught exception running LDAP sync.
org.springframework.ldap.UncategorizedLdapException: Uncategorized exception occured during LDAP processing; nested exception is javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1]; remaining name 'CN=Users,DC=test,DC=com'
at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:217)
at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:319)
at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:259)
at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:606)
at org.apache.ambari.server.security.ldap.AmbariLdapDataPopulator.getFilteredLdapUsers(AmbariLdapDataPopulator.java:549)
On 17 December 2015 at 17:19, Darpan Patel <da...@gmail.com>> wrote:
Hi guys,
I am trying to integrate A/D 2012 Server with Ambari.
I have doubt that some of the properties are not correct.
I am tried various permutation combinations but not successful yet. Could anyone review and help fixing it ?
Active directory domain controller name is : TEST.COM<http://TEST.COM>
On the console here are the values I am passing:
$ambari-server setup-ldap
Setting up LDAP properties...
Primary URL* {host:port} :IP_OF_AD_SERVER:389
Use SSL* [true/false] : false
User object class* :person
User name attribute* :sAMAccountName
Group object class* :User
Group name attribute* : User
Group member attribute* :member
Distinguished name attribute* :CN=Users,DC=test,DC=com
Base DN* :CN=Users,DC=test,DC=com
Referral method [follow/ignore] :ignore
Bind anonymously* [true/false] :true
====================
Review Settings
====================
Save settings [y/n] (y)?y
Saving...done
Ambari Server 'setup-ldap' completed successfully.
Regards,
DP
Re: Need help in Ambari - Active Directory Integration
Posted by Darpan Patel <da...@gmail.com>.
Many Thanks Robert.
I made the corresponding changes and specifying bind anonymously to false.
Thanks the old issue is gone now. But still I am facing strange issue. I am
giving the Manager DN = darpan@TEST.COM and trying to synch all the users
of AD but on the console I see :
*Syncing all.ERROR: Exiting with exit code 1.*
*REASON: Sync event creation failed. Error details: HTTP Error 403: Bad
credentials*
*(It is kind of strange because I just issued the valid TGT using kinit
darpan@TEST.COM <da...@TEST.COM> without any issues!!!!)*
There is only one line the logs:
17 Dec 2015 21:24:07,682 INFO [qtp-client-23] FilterBasedLdapUserSearch:89
- SearchBase not set. Searches will be performed from the root:
cn=Users,dc=test,dc=com
Regards,
DP
On 17 December 2015 at 17:55, Robert Levas <rl...@hortonworks.com> wrote:
> However, I don’t think that these changes will help with the
> authentication/bind issue. For that, when asked to bind anonymously, you
> should answer *false* and then set the Manager DN value to the DN of a
> user with read access to the specified container in your Active Directory.
>
> I hope this helps,
>
> Rob
>
>
> From: Darpan Patel <da...@gmail.com>
> Reply-To: "user@ambari.apache.org" <us...@ambari.apache.org>
> Date: Thursday, December 17, 2015 at 12:20 PM
> To: "user@ambari.apache.org" <us...@ambari.apache.org>
> Subject: Re: Need help in Ambari - Active Directory Integration
>
> Forgot to mention that logs show Naming Exception.
> [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C0906E8, comment: In order
> to perform this operation a successful bind must be completed on the
> connection., data 0, v1db1]; remaining name 'CN=Users,DC=test,DC=com'
>
> 17 Dec 2015 16:36:08,801 FATAL [pool-7-thread-1]
> AbstractRequestControlDirContextProcessor:186 - No matching response
> control found for paged results - looking for 'class
> javax.naming.ldap.PagedResultsResponseControl
> 17 Dec 2015 16:36:08,802 ERROR [pool-7-thread-1]
> LdapSyncEventResourceProvider:434 - Caught exception running LDAP sync.
> *org.springframework.ldap.UncategorizedLdapException: Uncategorized
> exception occured during LDAP processing; nested exception is
> javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr:
> DSID-0C0906E8, comment: In order to perform this operation a successful
> bind must be completed on the connection., data 0, v1db1]; remaining name
> 'CN=Users,DC=test,DC=com'*
> at
> org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:217)
> at
> org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:319)
> at
> org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:259)
> at
> org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:606)
> at
> org.apache.ambari.server.security.ldap.AmbariLdapDataPopulator.getFilteredLdapUsers(AmbariLdapDataPopulator.java:549)
>
>
> On 17 December 2015 at 17:19, Darpan Patel <da...@gmail.com> wrote:
>
>> Hi guys,
>>
>> I am trying to integrate A/D 2012 Server with Ambari.
>> I have doubt that some of the properties are not correct.
>> I am tried various permutation combinations but not successful yet.
>> Could anyone review and help fixing it ?
>>
>> *Active directory domain controller* name is : TEST.COM
>>
>> On the console here are the values I am passing:
>> *$ambari-server setup-ldap*
>>
>> Setting up LDAP properties...
>> *Primary URL* {host:port}* :IP_OF_AD_SERVER:389
>> *Use SSL* [true/false] *: false
>> *User object class** :person
>> *User name attribute** :sAMAccountName
>> *Group object class* :*User
>> *Group name attribute* : *User
>> *Group member attribute* :*member
>> *Distinguished name attribute* :*CN=Users,DC=test,DC=com
>> *Base DN* :*CN=Users,DC=test,DC=com
>> *Referral method [follow/ignore] :*ignore
>> *Bind anonymously* [*true/false] :true
>>
>> ====================
>> Review Settings
>> ====================
>> Save settings [y/n] (y)?y
>> Saving...done
>> Ambari Server 'setup-ldap' completed successfully.
>>
>>
>> Regards,
>> DP
>>
>
>
Re: Need help in Ambari - Active Directory Integration
Posted by Robert Levas <rl...@hortonworks.com>.
Hey Darpan…
Try changing the following properties:
Distinguished name attribute* : distinguishedName
Group object class* : group
Group name attribute* : cn
However, I don’t think that these changes will help with the authentication/bind issue. For that, when asked to bind anonymously, you should answer false and then set the Manager DN value to the DN of a user with read access to the specified container in your Active Directory.
I hope this helps,
Rob
From: Darpan Patel <da...@gmail.com>>
Reply-To: "user@ambari.apache.org<ma...@ambari.apache.org>" <us...@ambari.apache.org>>
Date: Thursday, December 17, 2015 at 12:20 PM
To: "user@ambari.apache.org<ma...@ambari.apache.org>" <us...@ambari.apache.org>>
Subject: Re: Need help in Ambari - Active Directory Integration
Forgot to mention that logs show Naming Exception.
[LDAP: error code 1 - 000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1]; remaining name 'CN=Users,DC=test,DC=com'
17 Dec 2015 16:36:08,801 FATAL [pool-7-thread-1] AbstractRequestControlDirContextProcessor:186 - No matching response control found for paged results - looking for 'class javax.naming.ldap.PagedResultsResponseControl
17 Dec 2015 16:36:08,802 ERROR [pool-7-thread-1] LdapSyncEventResourceProvider:434 - Caught exception running LDAP sync.
org.springframework.ldap.UncategorizedLdapException: Uncategorized exception occured during LDAP processing; nested exception is javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1]; remaining name 'CN=Users,DC=test,DC=com'
at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:217)
at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:319)
at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:259)
at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:606)
at org.apache.ambari.server.security.ldap.AmbariLdapDataPopulator.getFilteredLdapUsers(AmbariLdapDataPopulator.java:549)
On 17 December 2015 at 17:19, Darpan Patel <da...@gmail.com>> wrote:
Hi guys,
I am trying to integrate A/D 2012 Server with Ambari.
I have doubt that some of the properties are not correct.
I am tried various permutation combinations but not successful yet. Could anyone review and help fixing it ?
Active directory domain controller name is : TEST.COM<http://TEST.COM>
On the console here are the values I am passing:
$ambari-server setup-ldap
Setting up LDAP properties...
Primary URL* {host:port} :IP_OF_AD_SERVER:389
Use SSL* [true/false] : false
User object class* :person
User name attribute* :sAMAccountName
Group object class* :User
Group name attribute* : User
Group member attribute* :member
Distinguished name attribute* :CN=Users,DC=test,DC=com
Base DN* :CN=Users,DC=test,DC=com
Referral method [follow/ignore] :ignore
Bind anonymously* [true/false] :true
====================
Review Settings
====================
Save settings [y/n] (y)?y
Saving...done
Ambari Server 'setup-ldap' completed successfully.
Regards,
DP
Re: Need help in Ambari - Active Directory Integration
Posted by Darpan Patel <da...@gmail.com>.
Forgot to mention that logs show Naming Exception.
[LDAP: error code 1 - 000004DC: LdapErr: DSID-0C0906E8, comment: In order
to perform this operation a successful bind must be completed on the
connection., data 0, v1db1]; remaining name 'CN=Users,DC=test,DC=com'
17 Dec 2015 16:36:08,801 FATAL [pool-7-thread-1]
AbstractRequestControlDirContextProcessor:186 - No matching response
control found for paged results - looking for 'class
javax.naming.ldap.PagedResultsResponseControl
17 Dec 2015 16:36:08,802 ERROR [pool-7-thread-1]
LdapSyncEventResourceProvider:434 - Caught exception running LDAP sync.
*org.springframework.ldap.UncategorizedLdapException: Uncategorized
exception occured during LDAP processing; nested exception is
javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr:
DSID-0C0906E8, comment: In order to perform this operation a successful
bind must be completed on the connection., data 0, v1db1]; remaining name
'CN=Users,DC=test,DC=com'*
at
org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:217)
at
org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:319)
at
org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:259)
at
org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:606)
at
org.apache.ambari.server.security.ldap.AmbariLdapDataPopulator.getFilteredLdapUsers(AmbariLdapDataPopulator.java:549)
On 17 December 2015 at 17:19, Darpan Patel <da...@gmail.com> wrote:
> Hi guys,
>
> I am trying to integrate A/D 2012 Server with Ambari.
> I have doubt that some of the properties are not correct.
> I am tried various permutation combinations but not successful yet. Could
> anyone review and help fixing it ?
>
> *Active directory domain controller* name is : TEST.COM
>
> On the console here are the values I am passing:
> *$ambari-server setup-ldap*
>
> Setting up LDAP properties...
> *Primary URL* {host:port}* :IP_OF_AD_SERVER:389
> *Use SSL* [true/false] *: false
> *User object class** :person
> *User name attribute** :sAMAccountName
> *Group object class* :*User
> *Group name attribute* : *User
> *Group member attribute* :*member
> *Distinguished name attribute* :*CN=Users,DC=test,DC=com
> *Base DN* :*CN=Users,DC=test,DC=com
> *Referral method [follow/ignore] :*ignore
> *Bind anonymously* [*true/false] :true
>
> ====================
> Review Settings
> ====================
> Save settings [y/n] (y)?y
> Saving...done
> Ambari Server 'setup-ldap' completed successfully.
>
>
> Regards,
> DP
>