By default Ambari uses an internal database as the user store for authentication and authorization. If you wish to add LDAP or Active Directory (AD) external authentication in addition for Ambari Web, you need to make some edits to the Ambari properties file.
Important | |
---|---|
Ambari Server should not be running when you do this: either make the edits before you start Ambari Server the first time or bring the server down to make the edits. |
On the Ambari Server host, open
/etc/ambari-server/conf/ambari.properties
with a text editor.Make the following edits:
Add the client security property and set it to "ldap". This is the setting for either LDAP or AD external authentication.
client.security=ldap
Add the following properties for the LDAP or AD server, including whether to use SSL, whether you can bind to the server anonymously or if you need to provide manager credentials, the base DN, and so forth.
Table 2.2. Ambari Server Properties
Property Values Description authentication.ldap.useSSL true or false If true, use SSL when connecting to the LDAP or AD server. authentication.ldap.primaryUrl server:port The hostname and port for the LDAP or AD server.
Example: my.ldap.server:389
authentication.ldap.secondaryUrl server:port The hostname and port for the secondary LDAP or AD server.
Example: my.secondary.ldap.server:389
authentication.ldap.baseDn [Distinguished Name] The root Distinguished Name to search in the directory for users.
Example:
ou=people,dc=hadoop,dc=apache,dc=org
authentication.ldap. bindAnonymously true or false If true, bind to the LDAP or AD server anonymously authentication.ldap.managerDn [Full Distinguished Name] If Bind anonymous is set to false, the Distinguished Name (“DN”) for the manager.
Example:
uid=hdfs,ou=people,dc=hadoop,dc=apache,dc=org
authentication.ldap. managerPassword [password] If Bind anonymous is set to false, the password for the manager authentication.ldap. usernameAttribute [LDAP attribute] The attribute for username
Example: uid
When you have made the necessary edits to the properties file, you can go on to start (or re-start) the server. Initially the users you have enabled will all have User privileges. Users can read metrics, view service status and configuration, and browse job information. For these new users to be able to start or stop services, modify configurations, and run smoke tests, they need to be Admins. To make this change, use the Ambari Web Admin View.