You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@ambari.apache.org by "Lars Francke (JIRA)" <ji...@apache.org> on 2017/04/27 12:37:04 UTC

[jira] [Created] (AMBARI-20870) Change default template for AD user creation to avoid cn attribute length violations (don't use principal_name)

Lars Francke created AMBARI-20870:
-------------------------------------

             Summary: Change default template for AD user creation to avoid cn attribute length violations (don't use principal_name)
                 Key: AMBARI-20870
                 URL: https://issues.apache.org/jira/browse/AMBARI-20870
             Project: Ambari
          Issue Type: Improvement
          Components: ambari-server
    Affects Versions: 2.5.0
            Reporter: Lars Francke
            Priority: Minor


Currently the default template used for the LDAP add command when creating new principals in Active Directory uses the {{$principal_name}} variable for the {{cn}} attribute.

That is not a good default as the {{cn}} attribute has a maximum length of 64 characters in AD which cannot be changed.

This seems like a long hostname but those are the internal defaults used by Azure.

Ambari fails with error messages like this when it encounters this problem:
{quote}
[LDAP: error code 19 - 00002082: AtrErr: DSID-031519A3, #1:
        0: 00002082: DSID-031519A3, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 3 (cn):len 130
^@]; remaining name '"cn=HTTP/hadoop-4.olqwyiw03eme1ddz0ehc2qhhdh.ax.internal.cloudapp.net,CN=Users,DC=AZURE,DC=OPENCORE,DC=COM"'
{quote}

Ambari could
* a) either warn when it detects a {{cn}} longer than 64 characters and suggest to use a different template
* or b) use a different default value for the cn. I propose a user chosen prefix plus something like the {{principal_digest}}
* c) something else I can't think of now.

I'm in favor of b). Yes it can be done today when changing the template but it's not obvious what the error is and changing the default could prevent this whole issue from ever occurring.

The only downside is that it's not as easy as it was before to browse the users in AD. One needs to do a search to find a specific user or manually click through all of them.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)