Configuring Ambari Authentication with LDAP/AD
Also available as:

Synchronize LDAP Users and Groups

After setting up your LDAP integration, you must synchronize LDAP users and groups with Ambari, using the .ambari-server sync-ldap [option] utility.

The ambari-server sync-ldap [option] utility provides three options for synchronization:
  • Specific set of users and groups
  • Synchronize the existing users and groups in Ambari with LDAP
  • All users and groups
Run ambari-server sync-ldap [option] and answer the prompts to initiate the sync.
--users users.txt --groups groups.txt

Specific Set of Users and Groups

Use this option to synchronize a specific set of users and groups from LDAP into Ambari. Provide the command a text file of comma-separated users and groups. The comma separated entries in each of these files should be based off of the values in LDAP of the attributes chosen during setup. The "User name attribute" should be used for the users.txt file, and the "Group name attribute" should be used for the groups.txt file. This command will find, import, and synchronize the matching LDAP entities with Ambari.


Existing users and groups

After you have performed a synchronization of a specific set of users and groups (above), you use this option to synchronize only those entities that are in Ambari with LDAP. Users will be removed from Ambari if they no longer exist in LDAP, and group membership in Ambari will be updated to match LDAP.


All users and groups

Only use this option if you are sure you want to synchronize all users and groups from LDAP into Ambari. If you only want to synchronize a subset of users and groups, use a specific set of users and groups option.

This will import all entities with matching LDAP user and group object classes into Ambari.

The users you have just imported are initially granted the Ambari User privilege. Ambari Users can read metrics, view service status and configuration, and browse job information. For these new users to be able to start or stop services, modify configurations, and run smoke tests, they must be Admins. To make this change, as an Ambari Admin, use Manage Ambari > Users > Edit. For instructions, see Modify access levels for users and groups.

Example output after synchronizing LDAP users and groups in Ambari.
[root@demo ~]# ambari-server sync-ldap --all
Using python  /usr/bin/python
Syncing with LDAP...
Enter Ambari Admin login: admin
Enter Ambari Admin password:

Fetching LDAP configuration from DB.
Syncing all...

Completed LDAP Sync.
    removed = 0
    created = 16
    skipped = 1
    removed = 0
    updated = 0
    created = 15
    updated = 0
    removed = 0
    created = 26

Ambari Server 'sync-ldap' completed successfully.

Review log files for failed synchronization attempts, at /var/log/ambari-server/ambari-server.log on the Ambari Server host.