| ![[Note]](../common/images/admon/note.png) | Note | 
|---|---|
| Only if you are using LDAPS, and the LDAPS server certificate is signed by a trusted Certificate Authority, there is no need to import the certificate into Ambari so this section does not apply to you. If the LDAPS server certificate is self-signed, or is signed by an unrecognized certificate authority such as an internal certificate authority, you must import the certificate and create a keystore file. The following example creates a keystore file at /keys/ldaps-keystore.jks, but you can create it anywhere in the file system: Run the LDAP setup command on the Ambari server and answer the prompts, using the information you collected above: | 
- mkdir /etc/ambari-server/keys- where the keys directory does not exist, but should be created. 
- $JAVA_HOME/bin/keytool -import -trustcacerts -alias root -file $PATH_TO_YOUR_LDAPS_CERT -keystore /etc/ambari-server/keys/ldaps-keystore.jks
- Set a password when prompted. You will use this during ambari-server setup-ldap. 
 ambari-server setup-ldap
- At the - Primary URL*prompt, enter the server URL and port you collected above. Prompts marked with an asterisk are required values.
- At the - Secondary URL*prompt, enter the secondary server URL and port. This value is optional.
- At the - Use SSL*prompt, enter your selection. If using LDAPS, enter- true.
- At the - User object class*prompt, enter the object class that is used for users.
- At the - User name attribute*prompt, enter your selection. The default value is- uid.
- At the - Group object class*prompt, enter the object class that is used for groups.
- At the - Group name attribute*prompt, enter the attribute for group name.
- At the - Group member attribute*prompt, enter the attribute for group membership.
- At the - Distinguished name attribute*prompt, enter the attribute that is used for the distinguished name.
- At the - Base DN*prompt, enter your selection.
- At the - Referral method*prompt, enter to- followor- ignoreLDAP referrals.
- At the - Bind anonymously*prompt, enter your selection.
- At the - Manager DN*prompt, enter your selection if you have set bind.Anonymously to false.
- At the - Enter the Manager Password*prompt, enter the password for your LDAP manager DN.
- If you set - Use SSL*= true in step 3, the following prompt appears:- Do you want to provide custom TrustStore for Ambari?- Consider the following options and respond as appropriate. - More secure option: If using a self-signed certificate that you do not want imported to the existing JDK keystore, enter - y.- For example, you want this certificate used only by Ambari, not by any other applications run by JDK on the same host. - If you choose this option, additional prompts appear. Respond to the additional prompts as follows: - At the - TrustStore typeprompt, enter- jks.
- At the - Path to TrustStore fileprompt, enter- /keys/ldaps-keystore.jks(or the actual path to your keystore file).
- At the - Password for TrustStoreprompt, enter the password that you defined for the keystore.
 
- Less secure option: If using a self-signed certificate that you want to import and store in the existing, default JDK keystore, enter - n.- Convert the SSL certificate to X.509 format, if necessary, by executing the following command: - openssl x509 -in slapd.pem -out<slapd.crt>- Where <slapd.crt> is the path to the X.509 certificate. 
- Import the SSL certificate to the existing keystore, for example the default jre certificates storage, using the following instruction: - /usr/jdk64/jdk1.7.0_45/bin/keytool -import -trustcacerts -file slapd.crt -keystore /usr/jdk64/jdk1.7.0_45/jre/lib/security/cacerts- Where Ambari is set up to use JDK 1.7. Therefore, the certificate must be imported in the JDK 7 keystore. 
 
 
- Review your settings and if they are correct, select - y.
- Start or restart the Server - ambari-server restart- The users you have just imported are initially granted the Ambari User privilege. Ambari Users can read metrics, view service status and configuration, and browse job information. For these new users to be able to start or stop services, modify configurations, and run smoke tests, they need to be Admins. To make this change, as an Ambari Admin, use - Manage Ambari > Users > Edit. For instructions, see Managing Users and Groups.


