It appears that your groups do not have any member assigned. Since you used posixGroup as the class of our groups, you need add a set up memberUID value to each group for assignment. I am not sure how well Ambari handles this and it think it does a better job with groups that are of the class groupOfUniqueNames where the membership attributes are DN stored in the uniqueMember property.
Try ldapsearch -x -h ldap.forumsys.com -b ou=scientists,dc=example,dc=com to see an example. This lists the scientists group in a public test LDAP server where the groups have the class of groupOfUniqueNames. For docs on using Ambari, see https://docs.hortonworks.com/HDPDocuments/Ambari-2.1.2.0/bk_Ambari_Security_Guide/content/_configuring_ambari_for_ldap_or_active_directory_authentication.html. Rob From: Pratip Ghosh <[email protected]<mailto:[email protected]>> Reply-To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Date: Monday, March 7, 2016 at 9:14 AM To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: Re: Ambari Server sync-ldap not pulling group membership info. Hello Rob, Thank you for your reply. 1) I am using apache ambari version 2.1.2 2) authentication.ldap.groupMembershipAttr value in my ambari.properties file is as following. authentication.ldap.groupMembershipAttr=memberUid 3) The schema of my ldap server is as following. ++++++++++++++++++++++++++++ ~# ldapsearch -x -h ldapserver.arcbigdata.com -b "dc=arcbigdata,dc=com" # extended LDIF # # LDAPv3 # base <dc=arcbigdata,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL # # arcbigdata.com dn: dc=arcbigdata,dc=com objectClass: top objectClass: dcObject objectClass: organization o: ARC dc: arcbigdata # admin, arcbigdata.com dn: cn=admin,dc=arcbigdata,dc=com objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator # groups, arcbigdata.com dn: ou=groups,dc=arcbigdata,dc=com objectClass: organizationalUnit objectClass: top ou: groups # hadoop_admin, groups, arcbigdata.com dn: cn=hadoop_admin,ou=groups,dc=arcbigdata,dc=com gidNumber: 500 objectClass: posixGroup objectClass: top cn: hadoop_admin # hadoop_operator, groups, arcbigdata.com dn: cn=hadoop_operator,ou=groups,dc=arcbigdata,dc=com gidNumber: 501 cn: hadoop_operator objectClass: posixGroup objectClass: top # hadoop_users, groups, arcbigdata.com dn: cn=hadoop_users,ou=groups,dc=arcbigdata,dc=com gidNumber: 502 cn: hadoop_users objectClass: posixGroup objectClass: top # huser1, hadoop_users, groups, arcbigdata.com dn: cn=huser1,cn=hadoop_users,ou=groups,dc=arcbigdata,dc=com cn: huser1 givenName: h gidNumber: 502 homeDirectory: /home/users/huser1 sn: user1 loginShell: /bin/sh objectClass: inetOrgPerson objectClass: posixAccount objectClass: top uidNumber: 1000 uid: huser1 # hoperator1, hadoop_operator, groups, arcbigdata.com dn: cn=hoperator1,cn=hadoop_operator,ou=groups,dc=arcbigdata,dc=com cn: hoperator1 givenName: h gidNumber: 501 homeDirectory: /home/users/hoperator1 sn: operator1 loginShell: /bin/sh objectClass: inetOrgPerson objectClass: posixAccount objectClass: top uidNumber: 1001 uid: hoperator1 # hadmin1, hadoop_admin, groups, arcbigdata.com dn: cn=hadmin1,cn=hadoop_admin,ou=groups,dc=arcbigdata,dc=com cn: hadmin1 givenName: h gidNumber: 500 homeDirectory: /home/users/hadmin1 sn: admin1 loginShell: /bin/sh objectClass: inetOrgPerson objectClass: posixAccount objectClass: top uidNumber: 1002 uid: hadmin1 # search result search: 2 result: 0 Success # numResponses: 10 # numEntries: 9 ++++++++++++++++++++++++++++++++++++++++++ As I am not very much familiar with LDAP so may be I am providing wrong value in authentication.ldap.groupMembershipAttr. Can you please help me on this? Regards, Pratip On Monday 07 March 2016 06:57 PM, Robert Levas wrote: What version of Ambari and LDAP server are you using. I believe before Ambari 2.1 there was an issue syncing with OpenLDAP. Maybe you are hitting this issue. Else maybe there is an issue with your configuration where the group membership link isn correct and Ambari is trying to look up an incorrect field. Make sure the authentication.ldap.groupMembershipAttr value in your ambari.properties file matches the schema in your LDAP sever. Rob On 3/7/16, 7:59 AM, "Pratip Ghosh" <[email protected]><mailto:[email protected]> wrote: Hi I want to sync membership info just like users & groups from LDAP to ambari database but its not happening in actual. All users and groups ware syncing but membership not syncing from LDAP to ambari. Can anybody help me out on this? ********************************************* # ambari-server sync-ldap --all Using python /usr/bin/python2.7 Syncing with LDAP... Enter Ambari Admin login: admin Enter Ambari Admin password: Syncing all.................................................................. Completed LDAP Sync. Summary: memberships: removed = 0 created = 0 users: updated = 0 removed = 2 created = 1 groups: updated = 0 removed = 3 created = 3 Ambari Server 'sync-ldap' completed successfully. *********************************************************
