3. Optional: Set Up LDAP or Active Directory Authentication

By default Ambari uses an internal database as the user store for authentication and authorization. If you want to add LDAP or Active Directory (AD) external authentication in addition for Ambari Web, you need to collect the following information and run a special setup command. Ambari Server must not be running when you execute this command. An LDAP client must be installed on the Ambari Server host.

[Important]Important

Ambari Server should not be running when you do this: either make the edits before you start Ambari Server the first time or bring the server down to make the edits.

  1. The following table details the properties and values you need to know to set up LDAP authentication.

    [Note]Note

    If you are going to set bindAnonymously to false (the default), you need to make sure you have an LDAP Manager name and password set up. If you are going to use SSL, you need to make sure you have already set up your certificate and keys.

     

    Table I.2.2. Ambari Server LDAP Properties

    PropertyValuesDescription
    authentication.ldap.primaryUrlserver:port

    The hostname and port for the LDAP or AD server.

    Example: my.ldap.server:389

    authentication.ldap.secondaryUrlserver:port

    The hostname and port for the secondary LDAP or AD server.

    Example: my.secondary.ldap.server:389

    This is an optional value.

    authentication.ldap.useSSLtrue or false If true, use SSL when connecting to the LDAP or AD server.
    authentication.ldap. usernameAttribute[LDAP attribute]

    The attribute for username

    Example: uid

    authentication.ldap.baseDn[Distinguished Name]

    The root Distinguished Name to search in the directory for users.

    Example:

    ou=people,dc=hadoop,dc=apache,dc=org

    authentication.ldap. bindAnonymouslytrue or falseIf true, bind to the LDAP or AD server anonymously
    authentication.ldap.managerDn[Full Distinguished Name]

    If Bind anonymous is set to false, the Distinguished Name (“DN”) for the manager.

    Example:

    uid=hdfs,ou=people,dc=hadoop,dc=apache,dc=org

    authentication.ldap. managerPassword[password] If Bind anonymous is set to false, the password for the manager

  2. Run the LDAP setup command and answer the prompts with the information you collected above:

    ambari-setup setup-ldap
    1. At the Primary URL* prompt, enter the server URL and port you collected above. Prompts marked with an asterisk are required values.

    2. At the Secondary URL prompt, enter the secondary server URL and port. This is optional value.

    3. At the Use SSL* prompt, enter your selection.

    4. At the User name attribute* prompt, enter your selection. The default value is uid.

    5. At the Base DN* prompt, enter your selection.

    6. At the Bind anonymously* prompt, enter your selection.

    7. At the Manager DN* prompt, enter your selection if you have have set bind.Anonymously to false.

    8. At the Enter the Manager Password* , enter the password for your LDAP manager.

    9. Review your settings and if they are correct, select y.

    10. Start or restart the Server

      ambari-server restart

Initially the users you have enabled all have Ambari User privileges. Ambari Users can read metrics, view service status and configuration, and browse job information. For these new users to be able to start or stop services, modify configurations, and run smoke tests, they need to be Admins. To make this change, use Ambari Web Admin -> Users -> Edit.


loading table of contents...