Configuring Ambari Authentication with LDAP/AD
Also available as:
PDF

Configure Ambari to use LDAP/AD Server

By default, Ambari uses an internal database as the user store for authentication and authorization. You can configure LDAP or Active Directory (AD) external authentication.

  1. If the keystore directory does not exist, create it: mkdir /etc/ambari-server/keys.
  2. If you are using LDAPS, create the keystore file: $JAVA_HOME/bin/keytool -import -trustcacerts -alias root -file $PATH_TO_YOUR_LDAPS_CERT -keystore /etc/ambari-server/keys/ldaps-keystore.jks.
  3. When prompted, enter a password. You will use this during ambari-server setup-ldap.
  4. Run ambari-server setup-ldap and enter the following:
    Prompt Description Example Value
    Primary URL Host* The hostname for the LDAP/AD server. 54.123.456.789
    Primary URL Port The port for the LDAP/AD server. 389
    Secondary URL Host* The secondary server URL for the LDAP/AD server. 55.123.456.789
    Secondary URL Port The secondary port for the LDAP/AD server. 1039
    Use SSL*

    If true, use SSL when connecting to the LDAP server.

    If you are using LDAPS, enter true.

    True/False

    true
    User object class* The object class that is used for users. organizationalPerson
    User name attribute* The attribute for username. uid
    Group object class* The object class that is used for groups. groupOfUniqueNames
    Group name attribute* The attribute for group name.
    Group member attribute* The attribute for group membership..
    Distinguished name attribute* The attribute that is used for the distinguished name.
    Base DN* The root Distinguished Name to search in the directory for users. ou=people,dc=hadoop,dc=apache,dc=org.
    Referral method* Enter to follow or ignore LDAP referrals. follow
    Bind anonymously*

    If true, bind to the LDAP or AD server anonymously.

    True/False

    true
    Manager DN* If Bind anonymous is set to false, the Distinguished Name (“DN”) for the manager. uid=hdfs,ou=people,dc=hadoop,dc=apache,dc=org.
    Enter the Manager Password* Enter the password for your LDAP manager DN. p@ssw0rd
    Prompts marked with an asterisk (*) are required values.
  5. If you set Use SSL* = true in step 3, the following prompt appears: Do you want to provide custom TrustStore for Ambari?:
    • If you are using a self-signed certificate that you do not want imported to the existing JDK keystore, type y.

      This is option is more secure. For example, you want only Ambari to use this certificate, and not any other applications run by JDK on the same host.

      When you select this option, enter:
      • At the TrustStore type prompt, enter jks.
      • At the Path to TrustStore file prompt, enter /keystore_directory/ldaps-keystore.jks.
      • At the Password for TrustStore prompt, type the password that you defined for the keystore.
    • If you are using a self-signed certificate that you want to import and store in the existing, default JDK keystore, type n.

      This is option is less secure.

      When you select this option:
      • If necessary, convert the SSL certificate to X.509 format by executing the following command:

        openssl x509 -in slapd.pem -out slapd.crt

        where slapd.crt is the path to the X.509 certificate.

      • Import the SSL certificate to the existing keystore, such as the default jre certificates store, by typing the following command:

        /usr/jdk64/jdk1.7.0_45/bin/keytool -import -trustcacerts -file slapd.crt -keystore /usr/jdk64/jdk1.7.0_45/jre/lib/security/cacerts

        where Ambari is set up to use JDK 1.7. Consequently, the certificate must be imported into the JDK 7 keystore.

  6. Review your settings and if they are correct, select y.
  7. Start or restart the Ambari server: ambari-server restart.

    The users you have just imported are initially granted the Ambari User privilege. Ambari Users can read metrics, view service status and configuration, and browse job information. For these new users to be able to start or stop services, modify configurations, and run smoke tests, they need to be Admins. To make this change, as an Ambari Admin, use Manage Ambari > Users > Edit. For instructions, see Managing Users and Groups.

  8. For these new users to be able to start or stop services, modify configurations, and run smoke tests, they need to be Admins. To make this change, as an Ambari Admin, use Manage Ambari > Users > Edit. For instructions, see Managing Users and Groups.

Example Active Directory Configuration

Directory Server implementations use specific object classes and attributes for storing identities. In this example, configurations specific to Active Directory are displayed as an example. Only those properties that are specific to Active Directory are displayed.

Run ambari-server setup-ldap and provide the following information about your Domain:

Prompt

Example AD Values

User object class* (posixAccount)

user

User name attribute* (uid)

sAMAccountName

Group object class* (posixGroup)

group

Group member attribute* (memberUid)

member

Distinguished name attribute* (dn)

distinguishedName