Oracle Cloud Infrastructure Documentation

Configuring Ambari Authentication with LDAP/Active Directory

In Big Data Service cluster, Ambari is used for managing the cluster. By default, Big Data Service cluster has only one administrator account that can manage the cluster. However, its essential to support Active Directory (AD) integration so that the users in AD can sign-in to Ambari and perform the cluster management operations.

Configuring Ambari to Authenticate External Users

  1. On the un0 node, run:
    sudo ambari-server setup-ldap
  2. Respond to each prompt with the following information. Prompts marked with asterisk are required,

    Prompt

    		 Description
    Please select the type of LDAP you want to use * AD
    Primary URL Host* <AD_FQDN>
    Primary URL Port* The port for the LDAP server. By default, secured LDAPs runs on port 636. Unsecured LDAP runs on port 389.
    Secondary URL Host Press enter for empty
    Secondary URL Port Press enter for empty
    Use SSL* True if you decide to use LDAPS over 636 port.
    Do you want to provide custom TrustStore for Ambari [y/n] For Big Data Service cluster, you can set 'n' here and ignore the subsequent request of 'removing
    The TrustStore is already configured:ssl.trustStore.type = jksssl.trustStore.path = /etc/security/serverKeys/truststore.jksssl.trustStore.password = ${alias=ambari.ssl.trustStore.password}Do you want to remove these properties [y/n] (n)? Enter n. If you have entered the LDAPS URL of AD in the bds-cert.conf and you have run sudo bds_cert_util --enable from mn0 node, the jks file here should already contain the LDAPS certificate.
    TrustStore type Not needed if you didn't remove the default property. Format of the truststore : jks
    Path to TrustStore Not needed if you didn't remove the default property. /etc/security/serverKeys/truststore.jks
    Password for TrustStore Not needed if you didn't remove the default property. If needed, run sudo bash /home/opc/cloud/flask-microservice/cert_util/scripts/get_pass_mn0.sh to get the password.
    User object class* person
    User name attribute* sAMAccountName
    Group object class* group
    Group name attribute* cn
    Group member attribute* member
    Distinguished name attribute* distinguishedName
    Search Base* <AD_SEARCH_BASE>
    Referral method* ignore
    Bind anonymously* false
    Bind DN*: <AD_BIND_USER_DN>. Run dsquery user -name BIND_USER_NAME in Windows PowerShell on AD server.
    Bind DN Password*: <AD_BIND_USER_PWD>
    Handling behavior for username collisions*: convert (recommended)
    Force lower-case user names: true (recommended)
    Results from LDAP are paginated when requested: false (recommended)
    Disable endpoint identification during SSL handshake: true (recommended)

    For Example:

    [opc@opowerun0-0 ~]$ sudo ambari-server setup-ldap
Using python  /usr/bin/python
Currently 'no auth method' is configured, do you wish to use LDAP instead [y/n] (y)? y
Enter Ambari Admin login: admin
Enter Ambari Admin password:
 
Fetching LDAP configuration from DB. No configuration.
Please select the type of LDAP you want to use [AD/IPA/Generic](Generic):AD
Primary LDAP Host: <PRIMARY_LDAP_HOST>
Primary LDAP Port: 636
Secondary LDAP Host <Optional>:
Secondary LDAP Port <Optional>:
Use SSL [true/false] (false): true
Disable endpoint identification during SSL handshake [true/false] (False): true
Do you want to provide custom TrustStore for Ambari [y/n] (y)?n
The TrustStore is already configured:
  ssl.trustStore.type = jks
  ssl.trustStore.path = /etc/security/serverKeys/truststore.jks
  ssl.trustStore.password = ${alias=ambari.ssl.trustStore.password}
Do you want to remove these properties [y/n] (y)? n
User object class (user):
User ID attribute (sAMAccountName):
Group object class (group):
Group name attribute (cn):
Group member attribute (member):
Distinguished name attribute (distinguishedName):
Search Base (dc=ambari,dc=apache,dc=org): cn=Users,dc=ad,dc=domain,dc=com
Referral method [follow/ignore] (follow): ignore
Bind anonymously [true/false] (false):
Bind DN (cn=ldapbind,dc=ambari,dc=apache,dc=org): cn=Users,dc=ad,dc=domain,dc=com
Enter Bind DN Password:
Confirm Bind DN Password:
Handling behavior for username collisions [convert/skip] for LDAP sync (skip): convert
Force lower-case user names [true/false]:true
Results from LDAP are paginated when requested [true/false]:false
====================
Review Settings
====================
Primary LDAP Host:  <PRIMARY_LDAP_HOST>
Primary LDAP Port:  636
Use SSL [true/false] (false):  true
User object class (user):  user
User ID attribute (sAMAccountName):  sAMAccountName
Group object class (group):  group
Group name attribute (cn):  cn
Group member attribute (member):  member
Distinguished name attribute (distinguishedName):  distinguishedName
Search Base (dc=ambari,dc=apache,dc=org):  cn=Users,dc=ad,dc=domain,dc=com
Bind anonymously [true/false] (false):  false
Handling behavior for username collisions [convert/skip] for LDAP sync (skip):  convert
Force lower-case user names [true/false]: true
Results from LDAP are paginated when requested [true/false]: false
ambari.ldap.connectivity.bind_dn: <AMBARI_LDAP_CONNECTIVITY_BIND_DN>
ambari.ldap.connectivity.bind_password: *****
ambari.ldap.advanced.disable_endpoint_identification: true
Save settings [y/n] (y)? y
Saving LDAP properties...
Saving LDAP properties finished
Ambari Server 'setup-ldap' completed successfully.
  3. Prepare a list of groups to restrict the Active Directory users and groups to synchronize into Ambari.
  4. (Optional) If you plan to share Ambari access to the users in AD groups, run: 
    echo "g1,g2,g3" > groups.csv
sudo ambari-server sync-ldap --groups=$(pwd)/groups.csv
  5. (Optional) To explicitly specify the list of AD users, run: 
    echo "U1, u2, u3" > users.csv
  6. Restart the Ambari server.

    For Example:

    [opc@opower2un0 ambari-server]$ sudo ambari-server restart
Using python  /usr/bin/python
Restarting ambari-server
Waiting for server stop...
Ambari Server stopped
Ambari Server running with administrator privileges.
Organizing resource files at /var/lib/ambari-server/resources...
Ambari database consistency check started...
Server PID at: /var/run/ambari-server/ambari-server.pid
Server out at: /var/log/ambari-server/ambari-server.out
Server log at: /var/log/ambari-server/ambari-server.log
Waiting for server start...............
Server started listening on 7183

Configuring Access for Active Directory Users Through Ambari UI

  1. Access Apache Ambari with administrator user and password.
  2. Click the username button and select Manage Ambari.
  3. Click Users.
  4. Verify users and groups.
  5. In the filter enter Username: <username>, and then click Edit.
  6. Add the user to the appropriate group.
  7. Log the administrator out and sign in as the user you granted access to.