Obfuscating LDAP Bind Password in Ambari

Migrate the LDAP bind/manager password from plain text / file-based storage to the Ambari Credential Store (JCEKS) to ensure secure password handling.

Scope

• Ambari with LDAP authentication enabled
• Applies to Ambari 3.x
• Backend DB: MySQL (applies similarly to other supported DBs)
• Covers JDK 8 and JDK 11

Background

• Ambari stores LDAP configuration in the backend DB (ambari_configuration table).
• The LDAP bind password is stored in a plain-text file (e.g. /etc/ambari-server/conf/ldap-password.dat) and referenced directly in DB.
• This file is readable in plain text, which is a security risk.
• Ambari supports secure storage via Credential Store (JCEKS), which must be used instead.

Prerequisites

• Ambari Server access (root)
• Ambari Server stopped during security setup
• LDAP connectivity verified
• Master key decision made (persist or non-persist)

Step 1: LDAP Setup (Reference)

Example LDAP setup command:

ambari-server setup-ldap \

  --ldap-primary-host=10.100.11.29 \

  --ldap-primary-port=1636 \

  --ldap-ssl=true \

  --ldap-type=Generic \

  --ldap-user-class=inetOrgPerson \

  --ldap-user-attr=uid \

  --ldap-group-class=posixGroup \

  --ldap-group-attr=cn \

  --ldap-member-attr=memberUid \

  --ldap-dn=dn \

  --ldap-base-dn=dc=acceldata,dc=ce \

  --ldap-manager-dn="cn=admin,dc=acceldata,dc=ce" \

  --ldap-manager-password=passw0rd \

  --ldap-referral=follow \

  --ldap-bind-anonym=false \

  --ldap-save-settings \

  --ambari-admin-username=admin \

  --ambari-admin-password=admin

Step 2: Import LDAP SSL Certificate (If Using LDAPS)

2.1 Extract certificate

openssl s_client -connect 10.100.11.29:1636 -showcerts </dev/null

Copy the last certificate and save it as:

vi /etc/pki/tls/certs/custom-ldap.crt

2.2 Import into Java truststore

Java 8

# For java 8 (ambari 3.2.3)

keytool -import \

  -trustcacerts \

  -alias ambari-ldap-custom \

  -file /etc/pki/tls/certs/custom-ldap.crt \

  -keystore /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.472.b08-1.el8.x86_64/jre/lib/security/cacerts \

  -storepass changeit \

Java 11

# For java 11 (ambari 3.6.6)

  keytool -import \

  -trustcacerts \

  -alias ambari-ldap-custom \

  -file /etc/pki/tls/certs/custom-ldap.crt \

  -keystore /usr/lib/jvm/java-11-openjdk-11.0.25.0.9-2.el8.x86_64/lib/security/cacerts \

  -storepass changeit \

Cross-check the changes made: cat /etc/ambari-server/conf/ldap-password.dat

Step 3: Enable Ambari Credential Store

ambari-server stop

ambari-server setup-security

You might get options similar to the following snippet:

Using python  /usr/bin/python3.11

Security setup options...

===========================================================================

Choose one of the following options:

  [1] Enable HTTPS for Ambari server.

  [2] Encrypt passwords stored in ambari.properties file.

  [3] Setup Ambari kerberos JAAS configuration.

  [4] Setup truststore.

  [5] Import certificate to truststore.

===========================================================================

Enter choice, (1-5):

Choose option: [2] Encrypt passwords stored in ambari.properties file

You will then be prompted for aMaster key, it’s like setting up a password:

• If you haven’t set a Master key, create one (and remember it! You will need it in the future, and also during the setup).
• For the Persist Master Key, choose y (yes) otherwise you have to provide this password every time you restart ambari-server. Else you can choose not to persist the same.

Result

Credential store created:

/var/lib/ambari-server/keys/credentials.jceks

The passwords referenced in ambari.properties are obfuscated.

Step 4: Obfuscate LDAP Bind Password

You need to keep your Master key handy for this.

4.1 Import password into Credential Store

# Now import the new password

read -sp "Enter keystore password: " KEYSTORE_PASSWORD && echo && \

LDAP_PASSWORD=$(tr -d '\n' < /etc/ambari-server/conf/ldap-password.dat) && \

keytool -importpass -alias ambari.ldap.connectivity.bind_password \

  -keystore /var/lib/ambari-server/keys/credentials.jceks \

  -storetype JCEKS \

  -storepass "$KEYSTORE_PASSWORD" \

  -keypass "$KEYSTORE_PASSWORD" \

  -noprompt <<EOF

$LDAP_PASSWORD

EOF

You are prompted to enter the Master key here.

Verify import:

keytool -list -v \

  -keystore /var/lib/ambari-server/keys/credentials.jceks \

  -storetype JCEKS | grep "Alias name"

Again, you need to give your storepass, i.e., Master key, when prompted

Step 5: Update Ambari DB Configuration

Log in to mysql shell on your node, and then run the following command:

USE ambari;

​

UPDATE ambari_configuration

SET property_value='${alias=ambari.ldap.connectivity.bind_password}'

WHERE category_name='ldap-configuration'

AND property_name='ambari.ldap.connectivity.bind_password';

Result:

• Plain-text password reference replaced with credential alias

You can see an updated alias in the bind password value. Here is a similar overview of what your table might look like:

OR as below (depends on your setup, TLDR: your bind address' property_value is changed to an alias that references it from credentials.jceks file)

Step 6: Cleanup & Restart

Remove the plain text file, and restart the server.

rm /etc/ambari-server/conf/ldap-password.dat

ambari-server restart

Step 7: Validation

For validation, log in to the Ambari UI, followed by running the command on your host node:

ambari-server sync-ldap --all

Verify:

• If you see no errors, and cross-check in /var/log/ambari-server/ambari-server.log for a successful sync. And check if your users/groups are synced
• Users and groups sync successfully in Ambari UI

Outcome

• LDAP bind password no longer stored in plain text
• Password securely managed via Ambari Credential Store (JCEKS)
• Fully aligned with Ambari security best practices