[jira] [Updated] (AMBARI-9617) sync-ldap doesn't check all returned atributes

Tue, 21 Jul 2015 01:21:13 -0700 

     [ 
https://issues.apache.org/jira/browse/AMBARI-9617?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jarosław Czarniak updated AMBARI-9617:
--------------------------------------
    Affects Version/s: 2.1.2

> sync-ldap doesn't check all returned atributes
> ----------------------------------------------
>
>                 Key: AMBARI-9617
>                 URL: https://issues.apache.org/jira/browse/AMBARI-9617
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-admin
>    Affects Versions: 1.7.0, 2.1.2
>            Reporter: Jarosław Czarniak
>
> When I tried to sync our AD accounts with ambari I notice that ambari search 
> only for _authentication.ldap.usernameAttribute_ and _uid_ in answer. It's 
> quite all right if standard answer contains this atributes.
> Here is our AD question and answer from wireshark:
> {noformat}
> Filter: (&(objectClass=Person)(sAMAccountName=czarniak))
> {noformat}
> {noformat}
> Lightweight Directory Access Protocol
> LDAPMessage searchResEntry(2) "CN=Czarniak 
> Jarosław,OU=Pracownicy,OU=wp-sa,DC=ad,DC=wp-sa,DC=pl" [1 result]
> messageID: 2
> protocolOp: searchResEntry (4)
> searchResEntry
> objectName: CN=Czarniak 
> Jaros\357\277\275\357\277\275aw,OU=Pracownicy,OU=wp-sa,DC=ad,DC=wp-sa,DC=pl
> attributes: 110 items
> Response To: 7
> Time: 0.021746000 seconds
> {noformat}
> As you can see answer is "CN=Czarniak 
> Jarosław,OU=Pracownicy,OU=wp-sa,DC=ad,DC=wp-sa,DC=pl" and there are 110 
> atributes attachted. _sAMAccountName_ is one of them:
> {noformat}
> PartialAttributeList item sAMAccountName
> type: sAMAccountName
> vals: 1 item
> AttributeValue: czarniak
> {noformat}
> As a result of ignoring attached atributes array, ambari skip that account 
> (and any other account as well):
> {noformat}
> 16:48:38,270  WARN [pool-1-thread-9] AmbariLdapDataPopulator:560 - Ignoring 
> LDAP user cn=Czarniak Jarosław,ou=Pracownicy,ou=wp-sa,dc=ad,dc=wp-sa,dc=pl as 
> it doesn't have required attributes uid and sAMAccountName
> 16:50:24,556  INFO [qtp214227661-23] PersistKeyValueService:82 - Looking for 
> keyName CLUSTER_CURRENT_STATUS                                     
> 16:50:24,726  INFO [qtp214227661-22] PersistKeyValueService:82 - Looking for 
> keyName CLUSTER_CURRENT_STATUS
> {noformat}
> I think ambari must scan all provided atributes not only first or make 
> possible to create some type of filters...
> My Ambari/ldap configuration:
> {noformat}
> ====================
> Review Settings
> ====================
> authentication.ldap.primaryUrl: x.x.x.x:389
> authentication.ldap.secondaryUrl: y.y.y.y:389
> authentication.ldap.useSSL: false
> authentication.ldap.userObjectClass: Person
> authentication.ldap.usernameAttribute: sAMAccountName
> authentication.ldap.groupObjectClass: posixGroup
> authentication.ldap.groupNamingAttr: systemauth
> authentication.ldap.groupMembershipAttr: memberUid
> authentication.ldap.baseDn: OU=Pracownicy,OU=wp-sa,DC=ad,DC=wp-sa,DC=pl
> authentication.ldap.bindAnonymously: false
> authentication.ldap.managerDn: 
> CN=XYZ,OU=Techniczne,OU=wp-sa,DC=ad,DC=wp-sa,DC=pl
> authentication.ldap.managerPassword: *****
> Save settings [y/n] (y)? y
> Saving...done
> {noformat}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to