Configure Ambari to use LDAP/AD Server
By default, Ambari uses an internal database as the user store for authentication and authorization. You can configure LDAP or Active Directory (AD) external authentication.
If the keystore directory does not exist, create it:
If you are using LDAPS, create the keystore file:
$JAVA_HOME/bin/keytool -import -trustcacerts -alias root -file $PATH_TO_YOUR_LDAPS_CERT -keystore /etc/ambari-server/keys/ldaps-keystore.jks.
When prompted, enter a password. You will use this during
ambari-server setup-ldapand enter the following:
Prompts marked with an asterisk (*) are required values.
Prompt Description Example Value
Primary URL Host*
The hostname for the LDAP/AD server. 54.123.456.789
Primary URL Port
The port for the LDAP/AD server. 389
Secondary URL Host*
The secondary server URL for the LDAP/AD server. 55.123.456.789 Secondary URL Port The secondary port for the LDAP/AD server. 1039
If true, use SSL when connecting to the LDAP server.
If you are using LDAPS, enter true.
User object class*
The object class that is used for users. organizationalPerson
User name attribute*
The attribute for username. uid
Group object class*
The object class that is used for groups. groupOfUniqueNames
Group name attribute*
The attribute for group name.
Group member attribute*
The attribute for group membership..
Distinguished name attribute*
The attribute that is used for the distinguished name.
The root Distinguished Name to search in the directory for users. ou=people,dc=hadoop,dc=apache,dc=org.
If true, bind to the LDAP or AD server anonymously.
If Bind anonymous is set to false, the Distinguished Name (“DN”) for the manager. uid=hdfs,ou=people,dc=hadoop,dc=apache,dc=org.
Enter the Manager Password*
Enter the password for your LDAP manager DN. p@ssw0rd
If you set
Use SSL*= true in step 3, the following prompt appears:
Do you want to provide custom TrustStore for Ambari?:
- If you are using a self-signed certificate that you do not want imported to
the existing JDK keystore, type y.
This is option is more secure. For example, you want only Ambari to use this certificate, and not any other applications run by JDK on the same host.When you select this option, enter:
- At the TrustStore type prompt, enter jks.
- At the Path to TrustStore file prompt, enter /keystore_directory/ldaps-keystore.jks.
- At the Password for TrustStore prompt, type the password that you defined for the keystore.
- If you are using a self-signed certificate that you want to import and store
in the existing, default JDK keystore, type n.
This is option is less secure.When you select this option:
- If necessary, convert the SSL certificate to X.509 format by
executing the following command:
openssl x509 -in slapd.pem -out slapd.crt
where slapd.crt is the path to the X.509 certificate.
- Import the SSL certificate to the existing keystore, such as the
default jre certificates store, by typing the following
/usr/jdk64/jdk1.7.0_45/bin/keytool -import -trustcacerts -file slapd.crt -keystore /usr/jdk64/jdk1.7.0_45/jre/lib/security/cacerts
where Ambari is set up to use JDK 1.7. Consequently, the certificate must be imported into the JDK 7 keystore.
- If necessary, convert the SSL certificate to X.509 format by executing the following command:
- If you are using a self-signed certificate that you do not want imported to the existing JDK keystore, type y.
Review your settings and if they are correct, select
Start or restart the Ambari server:
The users you have just imported are initially granted the Ambari User privilege. Ambari Users can read metrics, view service status and configuration, and browse job information. For these new users to be able to start or stop services, modify configurations, and run smoke tests, they need to be Admins. To make this change, as an Ambari Admin, use
Manage Ambari > Users > Edit. For instructions, see Managing Users and Groups.
- For these new users to be able to start or stop services, modify configurations, and run smoke tests, they need to be Admins. To make this change, as an Ambari Admin, use . For instructions, see Managing Users and Groups.
Example Active Directory Configuration
Directory Server implementations use specific object classes and attributes for storing identities. In this example, configurations specific to Active Directory are displayed as an example. Only those properties that are specific to Active Directory are displayed.
ambari-server setup-ldap and provide the following information
about your Domain:
Example AD Values
User object class* (posixAccount)
User name attribute* (uid)
Group object class* (posixGroup)
Group member attribute* (memberUid)
Distinguished name attribute* (dn)