3. Optional: Set Up LDAP or Active Directory Authentication

By default Ambari uses an internal database as the user store for authentication and authorization. If you wish to add LDAP or Active Directory (AD) external authentication in addition for Ambari Web, you need to make some edits to the Ambari properties file.

[Important] Important

Ambari Server should not be running when you do this: either make the edits before you start Ambari Server the first time or bring the server down to make the edits.

  1. On the Ambari Server host, open /etc/ambari-server/conf/ambari.properties with a text editor.

  2. Make the following edits:

    1. Add the client security property and set it to "ldap". This is the setting for either LDAP or AD external authentication.

    2. Add the following properties for the LDAP or AD server, including whether to use SSL, whether you can bind to the server anonymously or if you need to provide manager credentials, the base DN, and so forth.


      Table 2.2. Ambari Server Properties

      Property Values Description
      authentication.ldap.useSSL true or false If true, use SSL when connecting to the LDAP or AD server.
      authentication.ldap.primaryUrl server:port

      The hostname and port for the LDAP or AD server.

      Example: my.ldap.server:389

      authentication.ldap.secondaryUrl server:port

      The hostname and port for the secondary LDAP or AD server.

      Example: my.secondary.ldap.server:389

      authentication.ldap.baseDn [Distinguished Name]

      The root Distinguished Name to search in the directory for users.



      authentication.ldap. bindAnonymously true or false If true, bind to the LDAP or AD server anonymously
      authentication.ldap.managerDn [Full Distinguished Name]

      If Bind anonymous is set to false, the Distinguished Name (“DN”) for the manager.



      authentication.ldap. managerPassword [password] If Bind anonymous is set to false, the password for the manager
      authentication.ldap. usernameAttribute [LDAP attribute]

      The attribute for username

      Example: uid

When you have made the necessary edits to the properties file, you can go on to start (or re-start) the server. Initially the users you have enabled will all have User privileges. Users can read metrics, view service status and configuration, and browse job information. For these new users to be able to start or stop services, modify configurations, and run smoke tests, they need to be Admins. To make this change, use the Ambari Web Admin View.

loading table of contents...