question Re: ranger usersync connect to ldap failed in Support Questions

ranger usersync connect to ldap failed

bigdatacn — Mon, 29 Feb 2016 17:10:45 GMT

Summary: Our LDAP ssl crt is signed-certification.

29 Feb 2016 09:08:06 ERROR PasswordValidator [Thread-43] - Response [FAILED: unable to validate due to error javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake] for user: null
javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:946)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
at sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:882)
at sun.security.ssl.AppInputStream.read(AppInputStream.java:102)
at sun.nio.cs.StreamDecoder.readBytes(StreamDecoder.java:283)
at sun.nio.cs.StreamDecoder.implRead(StreamDecoder.java:325)
at sun.nio.cs.StreamDecoder.read(StreamDecoder.java:177)
at java.io.InputStreamReader.read(InputStreamReader.java:184)
at java.io.BufferedReader.fill(BufferedReader.java:154)
at java.io.BufferedReader.readLine(BufferedReader.java:317)
at java.io.BufferedReader.readLine(BufferedReader.java:382)
at com.xasecure.authentication.PasswordValidator.run(PasswordValidator.java:58)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.io.EOFException: SSL peer shut down incorrectly
at sun.security.ssl.InputRecord.read(InputRecord.java:482)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:927)
... 12 more
29 Feb 2016 09:09:06 ERROR PasswordValidator [Thread-44] - Response [FAILED: unable to validate due to error javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake] for user: null
javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:946)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
at sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:882)
at sun.security.ssl.AppInputStream.read(AppInputStream.java:102)
at sun.nio.cs.StreamDecoder.readBytes(StreamDecoder.java:283)
at sun.nio.cs.StreamDecoder.implRead(StreamDecoder.java:325)
at sun.nio.cs.StreamDecoder.read(StreamDecoder.java:177)
at java.io.InputStreamReader.read(InputStreamReader.java:184)
at java.io.BufferedReader.fill(BufferedReader.java:154)
at java.io.BufferedReader.readLine(BufferedReader.java:317)
at java.io.BufferedReader.readLine(BufferedReader.java:382)
at com.xasecure.authentication.PasswordValidator.run(PasswordValidator.java:58)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.io.EOFException: SSL peer shut down incorrectly
at sun.security.ssl.InputRecord.read(InputRecord.java:482)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:927)
... 12 more

Re: ranger usersync connect to ldap failed

nsabharwal — Mon, 29 Feb 2016 17:48:03 GMT

@henryon wen

Ambari is doing a service check to ensure that the UserSync process is up and running and it can be safely ignored.

Re: ranger usersync connect to ldap failed

bigdatacn — Mon, 29 Feb 2016 18:49:27 GMT

@Neeraj Sabharwal, thanks for your reply. I've runned on Ambari UI. it works fine. but How can I add ldap user/groups to ranger. seems I can't add them, if there have some docs link. Could you share with me ? Thanks.

We want to use ranger to harden hadoop.

Notes: HDP 2.2 Ranger 0.4

Re: ranger usersync connect to ldap failed

nsabharwal — Mon, 29 Feb 2016 18:55:50 GMT

@henryon wen Ambari version?

https://cwiki.apache.org/confluence/display/RANGER/Configure+Ranger+UserSync+for+LDAP

This is handy https://cwiki.apache.org/confluence/display/RANGER/LDAP+Connection+Check+Tool

Re: ranger usersync connect to ldap failed

bigdatacn — Tue, 01 Mar 2016 09:44:59 GMT

@Neeraj Sabharwal ambari version 2.0.1

Re: ranger usersync connect to ldap failed

nsabharwal — Tue, 01 Mar 2016 09:51:08 GMT

@henryon wen

This can save you lot of time https://github.com/abajwa-hw/security-workshops

The above guide is very helpful to learn security setup.

You asked for official doc https://cwiki.apache.org/confluence/display/RANGER/Configure+Ranger+UserSync+for+LDAP

Re: ranger usersync connect to ldap failed

bigdatacn — Wed, 02 Mar 2016 14:43:40 GMT

@Neeraj Sabharwal

thanks,

btw, I encountered another issues when sync LDAP user/groups.

Can you help on this? Thanks.

The error messages:

02 Mar 2016 06:38:09  INFO LdapUserGroupBuilder [UnixUserSyncThread] - LdapUserGroupBuilder initialization completed with --  ldapUrl: ldaps://52.17.129.212:636,  ldapBindDn: cn=admin,dc=abc,dc=com,  ldapBindPassword: ***** ,  ldapAuthenticationMechanism: simple,  userSearchBase: ou=people,dc=abc,dc=com,  userSearchScope: 2,  userObjectClass: person,  userSearchFilter: -,  extendedSearchFilter: (&(objectclass=person)(-)),  userNameAttribute: uid,  userSearchAttributes: [uid, memberof]
02 Mar 2016 06:38:09 ERROR UserGroupSync [UnixUserSyncThread] - Failed to initialize UserGroup source/sink. Will retry after 300000 milliseconds. Error details:
javax.naming.directory.InvalidSearchFilterException: Missing 'equals'; remaining name 'ou=people,dc=abc,dc=com'
at com.sun.jndi.ldap.Filter.encodeSimpleFilter(Filter.java:330)
at com.sun.jndi.ldap.Filter.encodeFilter(Filter.java:146)
at com.sun.jndi.ldap.Filter.encodeFilterList(Filter.java:741)
at com.sun.jndi.ldap.Filter.encodeComplexFilter(Filter.java:657)
at com.sun.jndi.ldap.Filter.encodeFilter(Filter.java:104)
at com.sun.jndi.ldap.Filter.encodeFilterString(Filter.java:74)
at com.sun.jndi.ldap.LdapClient.search(LdapClient.java:547)
at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1985)
at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1847)
at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1772)
at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:386)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:356)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:339)
at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:267)
at com.xasecure.ldapusersync.process.LdapUserGroupBuilder.updateSink(LdapUserGroupBuilder.java:195)
at com.xasecure.usergroupsync.UserGroupSync.run(UserGroupSync.java:59)
at java.lang.Thread.run(Thread.java:745)

Re: ranger usersync connect to ldap failed

nsabharwal — Wed, 02 Mar 2016 16:56:45 GMT

@henryon wen Could you help me to close this thread by accepting the answer?

Re: ranger usersync connect to ldap failed

nsabharwal — Wed, 02 Mar 2016 17:00:28 GMT

@henryon wen Please open this as new question

Re: ranger usersync connect to ldap failed

bigdatacn — Wed, 02 Mar 2016 17:25:06 GMT

@Neeraj Sabharwal I've fixed by myself. by setting SYNC_LDAP_USER_SEARCH_FILTER to "uid=*"

Re: ranger usersync connect to ldap failed

nsabharwal — Wed, 02 Mar 2016 17:29:02 GMT

@Henry Oh Thanks! How about the answer of the initial question asked? Could you accept the answer?

Re: ranger usersync connect to ldap failed

bigdatacn — Thu, 03 Mar 2016 11:47:19 GMT

@Neeraj Sabharwal sure