Reply
Posts: 866
Topics: 1
Kudos: 200
Solutions: 107
Registered: ‎04-22-2014

Re: could not load AD group members

@Lanes,

 

That is great news!

The workaround is fine to keep long term, too.  We didn't get the fix for the bug into 5.15.0 (as you noticed) but we will work to get it into the next 5.15.x maintenance release.

 

 

Explorer
Posts: 7
Registered: ‎07-05-2018

Re: could not load AD group members

@bgooley

 

Sry to necro this post, but this issue is affecting my installation running CDH 5.15.0 and i'm not able to fix it.

Moving the ldap config to [[[ldap_servers]]] does indeed bypass the error mentioned by the OP, however the synchronization is not working correctly. The group is added empty, because users are not mapped to the group.

 

Moving the exact same configuration back to [[ldap]] and setting sync_groups_at_login to false, correctly performs the manuals synchronization, which means it is not a configuration error.

 

Can you ensure that the member mapping is being performed the CDH 5.15.0 release when configuring ldap under [[[ldap_servers]]]?

Posts: 866
Topics: 1
Kudos: 200
Solutions: 107
Registered: ‎04-22-2014

Re: could not load AD group members

@gmpinheiro,

 

Hello,

 

We would need to see your full Hue safety valve to be sure that the configuration was what we expect.

sync_groups_on_login=true goes under [[ldap]] and not under [[[ldap_servers]]] area.

 

Please show us the steps you use to synchronize groups with screen shots if you can.

 

Ben

Explorer
Posts: 7
Registered: ‎07-05-2018

Re: could not load AD group members

@bgooley

As I said, with the mentioned workaround, I can login to hue but the synchronization does not work. I added the requested configuration in the snippet below.

 

[desktop] 
[[ldap]]
sync_groups_on_login=true
create_users_on_login=true

[[[ldap_servers]]]
[[[[LDAP]]]]
ldap_url=ldaps://hostname ldaps://hostname ldaps://hostname    
search_bind_authentication=true
ldap_cert=/opt/cloudera/security/pki/cacert.pem
use_start_tls=false
base_dn="ou=entities,dc=hadoop,dc=com"    
bind_dn="cn=Manager,dc=hadoop,dc=com"    
bind_password_script={{CMF_CONF_DIR}}/altscript.sh sec-5-bind_password 

[[[[[users]]]]]   
user_filter="objectClass=posixAccount"  
user_name_attr="uid"

[[[[[groups]]]]]
group_filter="objectClass=posixGroup"
group_name_attr="cn"
group_member_attr="memberUid"

Thank you in advance,

Gil Pinheiro.

Posts: 866
Topics: 1
Kudos: 200
Solutions: 107
Registered: ‎04-22-2014

Re: could not load AD group members

@gmpinheiro,

 

Can you show us what you do and what goes wrong?

The config looks pretty normal to me ofr posix accounts.  I usually don't test with posix, so I suppose there is the off chance something specific to posix is in play, but we'd need to see more info.

 

Also, would need LDAP debug logging would be required.

 

In the [[[[LDAP]]]] section, add:

 

debug=true
debug_level=255
trace_level=9

 

Save and restart Hue

 

When you reproduce, ldap debugging should be written to the Hue process stdout.log

Explorer
Posts: 7
Registered: ‎07-05-2018

Re: could not load AD group members

@bgooley

 

Basically, in hue, I removed the group I belong to logged in again. I expected to see my LDAP group under the groups tab, but to no avail.

 

I can't post the log here because it exceeds the character limit. I will pm you a link to the mentioned log message.

 

Thank you in advance.

 

Best regards,

Gil Pinheiro.

Explorer
Posts: 7
Registered: ‎07-05-2018

Re: could not load AD group members

Bump.

 

This issue is still affecting me and the CDH 5.15.1 still hasn't been released.

 

Best regards,

Gil Pinheiro.

Posts: 866
Topics: 1
Kudos: 200
Solutions: 107
Registered: ‎04-22-2014

Re: could not load AD group members

@gmpinheiro,

 

I was out on PTO so I am just catching up.

I couldn't tell what might have been going on from the stdout log.

 

At this point I hope you can give 5.15.1 a try ( https://archive.cloudera.com/cdh5/parcels/5.15.1/ )

 

Sorry for the late reply.

Announcements