Pivotal Knowledge Base

Follow

Ambari: local user is authenticated against LDAP

Environment

Product Version
Pivotal HDP 3.x
OS All supported
HDP  2.2.x, 2.3.x, 2.4.x

Symptom

When logging in a local user (e.g. administrator) the query is sent to LDAP server to log the user in. This is not expected because the user is local.

Error Message:

The following traces are found in the LDAP access log.

[2016-06-09 09:53:05.259] CONNECT conn=274712 from=xx.xx.xx.xx:59518 to=xx.xx.xx.xx:6362 protocol=LDAPS
[2016-06-09 09:53:05.259] BIND conn=274712 op=0 msgID=1 version=3 type=SIMPLE dn="uid=administrator,ou=people,dc=example,dc=com" result=0 authDN="uid=bounduser,ou=people,dc=example,dc=com" etime=147335
[2016-06-09 09:53:05.259] SEARCH conn=274712 op=1 msgID=2 base="ou=people,dc=example,dc=com" scope=sub filter="(&(member=uid=administrator,ou=people,dc=example,dc=com)(objectclass=group)(|(cn=Ambari Administrators)))" attrs="ALL" requestControls=2.16.840.1.113730.3.4.2 result=0 nentries=0 etime=102178
[2016-06-09 09:53:05.259] UNBIND conn=274712 op=2 msgID=3
[2016-06-09 09:53:05.259] DISCONNECT conn=274712 reason="Client Unbind"

Cause 

The user "administrator" is available in LDAP and Ambari. During user sync in Ambari any local user that has an account in LDAP is converted to an LDAP user; therefore, subsequent logins will be performed against LDAP.

Resolution

Create a local user with a name which does not exist in LDAP directory.

Comments

Powered by Zendesk