By default Ambari uses an internal database as the user store for authentication and authorization. If you wish to add LDAP or Active Directory (AD) external authentication in addition for Ambari Web, you need to make some edits to the Ambari properties file.
| ![[Important]](../common/images/admon/important.png) | Important | 
|---|---|
| Ambari Server should not be running when you do this: either make the edits before you start Ambari Server the first time or bring the server down to make the edits. | 
- On the Ambari Server host, open - /etc/ambari-server/conf/ambari.propertieswith a text editor.
- Make the following edits: - Add the client security property and set it to "ldap". This is the setting for either LDAP or AD external authentication. - client.security=ldap 
- Add the following properties for the LDAP or AD server, including whether to use SSL, whether you can bind to the server anonymously or if you need to provide manager credentials, the base DN, and so forth. - Table 2.3. Ambari Server Properties - Property - Values - Description - authentication.ldap.useSSL - true or false - If true, use SSL when connecting to the LDAP or AD server. - authentication.ldap.primaryUrl - server:port - The hostname and port for the LDAP or AD server. - Example: my.ldap.server:389 - authentication.ldap.secondaryUrl - server:port - The hostname and port for the secondary LDAP or AD server. - Example: my.secondary.ldap.server:389 - authentication.ldap.baseDn - [Distinguished Name] - The root Distinguished Name to search in the directory for users. - Example: - ou=people,dc=hadoop,dc=apache,dc=org - authentication.ldap. bindAnonymously - true or false - If true, bind to the LDAP or AD server anonymously - authentication.ldap.managerDn - [Full Distinguished Name] - If Bind anonymous is set to false, the Distinguished Name (“DN”) for the manager. - Example: - uid=hdfs,ou=people,dc=hadoop,dc=apache,dc=org - authentication.ldap. managerPassword - [password] - If Bind anonymous is set to false, the password for the manager - authentication.ldap. usernameAttribute - [LDAP attribute] - The attribute for username - Example: uid 
 
When you have made the necessary edits to the properties file, you can go on to start (or re-start) the server. Initially the users you have enabled will all have User privileges. Users can read metrics, view service status and configuration, and browse job information. For these new users to be able to start or stop services, modify configurations, and run smoke tests, they need to be Admins. To make this change, use the Ambari Web Admin View.


