Lars Francke created AMBARI-20870:
-------------------------------------
Summary: Change default template for AD user creation to avoid cn
attribute length violations (don't use principal_name)
Key: AMBARI-20870
URL: https://issues.apache.org/jira/browse/AMBARI-20870
Project: Ambari
Issue Type: Improvement
Components: ambari-server
Affects Versions: 2.5.0
Reporter: Lars Francke
Priority: Minor
Currently the default template used for the LDAP add command when creating new
principals in Active Directory uses the {{$principal_name}} variable for the
{{cn}} attribute.
That is not a good default as the {{cn}} attribute has a maximum length of 64
characters in AD which cannot be changed.
This seems like a long hostname but those are the internal defaults used by
Azure.
Ambari fails with error messages like this when it encounters this problem:
{quote}
[LDAP: error code 19 - 00002082: AtrErr: DSID-031519A3, #1:
0: 00002082: DSID-031519A3, problem 1005 (CONSTRAINT_ATT_TYPE), data 0,
Att 3 (cn):len 130
^@]; remaining name
'"cn=HTTP/hadoop-4.olqwyiw03eme1ddz0ehc2qhhdh.ax.internal.cloudapp.net,CN=Users,DC=AZURE,DC=OPENCORE,DC=COM"'
{quote}
Ambari could
* a) either warn when it detects a {{cn}} longer than 64 characters and suggest
to use a different template
* or b) use a different default value for the cn. I propose a user chosen
prefix plus something like the {{principal_digest}}
* c) something else I can't think of now.
I'm in favor of b). Yes it can be done today when changing the template but
it's not obvious what the error is and changing the default could prevent this
whole issue from ever occurring.
The only downside is that it's not as easy as it was before to browse the users
in AD. One needs to do a search to find a specific user or manually click
through all of them.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
