question Ranger Usersync with LDAPS not working in Support Questions

question Ranger Usersync with LDAPS not working in Support Questions https://community.cloudera.com/t5/Support-Questions/Ranger-Usersync-with-LDAPS-not-working/m-p/314396#M226022 <P>Hello Everyone,</P><P> </P><P>I've recently installed Ranger on CDP Private Cloud Base 7.1.5.</P><P>For usersync, I'm connecting to my organization AD. For some reason, the usersync is throwing SSLHandshakeException and is not working.</P><P> </P><LI-CODE lang="markup">2021-04-10 13:41:28,715 ERROR org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder: LdapUserGroupBuilder.getUsers() failed with exception: javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: simple bind failed: <AD Domain>:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]] at com.sun.jndi.ldap.AbstractLdapNamingEnumeration.hasMoreImpl(AbstractLdapNamingEnumeration.java:237) at com.sun.jndi.ldap.AbstractLdapNamingEnumeration.hasMore(AbstractLdapNamingEnumeration.java:189) at org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.getUsers(LdapUserGroupBuilder.java:435) at org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.updateSink(LdapUserGroupBuilder.java:325) at org.apache.ranger.usergroupsync.UserGroupSync.syncUserGroup(UserGroupSync.java:100) at org.apache.ranger.usergroupsync.UserGroupSync.run(UserGroupSync.java:55) at java.lang.Thread.run(Thread.java:748) Caused by: javax.naming.CommunicationException: simple bind failed: <AD Domain>:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target] at com.sun.jndi.ldap.LdapReferralContext.<init>(LdapReferralContext.java:96) at com.sun.jndi.ldap.LdapReferralException.getReferralContext(LdapReferralException.java:151) at com.sun.jndi.ldap.AbstractLdapNamingEnumeration.hasMoreReferrals(AbstractLdapNamingEnumeration.java:325) at com.sun.jndi.ldap.AbstractLdapNamingEnumeration.hasMoreImpl(AbstractLdapNamingEnumeration.java:227) ... 6 more Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alert.createSSLException(Alert.java:131) at sun.security.ssl.TransportContext.fatal(TransportContext.java:353) at sun.security.ssl.TransportContext.fatal(TransportContext.java:296) at sun.security.ssl.TransportContext.fatal(TransportContext.java:291) at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:652) at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:471) at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:367) at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:376) at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444) at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:422) at sun.security.ssl.TransportContext.dispatch(TransportContext.java:183) at sun.security.ssl.SSLTransport.decode(SSLTransport.java:154) at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1279) at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1188) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:401) at sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:808) at sun.security.ssl.SSLSocketImpl.access$200(SSLSocketImpl.java:75) at sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:1093) at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82) at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140) at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:450) at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:423) at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:359) at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214) at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2895) at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:348) at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxFromUrl(LdapCtxFactory.java:225) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:189) at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:152) at com.sun.jndi.url.ldap.ldapURLContextFactory.getObjectInstance(ldapURLContextFactory.java:52) at javax.naming.spi.NamingManager.getURLObject(NamingManager.java:601) at javax.naming.spi.NamingManager.processURL(NamingManager.java:381) at javax.naming.spi.NamingManager.processURLAddrs(NamingManager.java:361) at javax.naming.spi.NamingManager.getObjectInstance(NamingManager.java:333) at com.sun.jndi.ldap.LdapReferralContext.<init>(LdapReferralContext.java:119) ... 9 more Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306) at sun.security.validator.Validator.validate(Validator.java:271) at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:312) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:221) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:128) at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:636) ... 39 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434) ... 45 more 2021-04-10 13:41:28,718 INFO org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder: LdapUserGroupBuilder.getUsers() user count: 0 2021-04-10 13:41:28,721 INFO org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder: deltaSyncUserTime = 0 and highestdeltaSyncUserTime = 0 2021-04-10 13:41:28,721 INFO org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder: deltaSyncGroupTime = 0 and highestdeltaSyncGroupTime = 0</LI-CODE><P> </P><P> </P><P>I've imported the LDAPS Certificate to /usr/java/default/jre/lib/security/cacerts and the following property is set to this path.</P><DIV class="cmf-main-page-container"><DIV class="generic-config-and-filters-container config-and-filters-container "><DIV class="clearfix"><DIV class="table-panel"><DIV class="form-horizontal"><DIV class="param-specs param-spec-container"><DIV class="property-list"><DIV class="param-spec-property form-group"><DIV class="header-column"><DIV class="property-name small">ranger.usersync.truststore.file = /usr/java/default/jre/lib/security/cacerts</DIV><DIV class="property-name small"> </DIV><DIV class="property-name small">The surprising thing is my usersync LDAP URL is set as follows:</DIV><DIV class="property-name small"><DIV class="cmf-main-page-container"><DIV class="generic-config-and-filters-container config-and-filters-container "><DIV class="clearfix"><DIV class="table-panel"><DIV class="form-horizontal"><DIV class="param-specs param-spec-container"><DIV class="property-list"><DIV class="param-spec-property form-group"><DIV class="header-column"><DIV class="property-name small">ranger.usersync.ldap.url = ldaps://<AD Domain Controller Server1>:636</DIV><DIV class="property-name small"> </DIV><DIV class="property-name small">but in the error I'm getting "simple bind failed: <AD Domain>:636".</DIV><DIV class="property-name small"> </DIV><DIV class="property-name small">With the same configuration for all other properties the Ranger Admin Authentication with AD works perfectly, but usersync is not happening.</DIV><DIV class="property-name small"> </DIV><DIV class="property-name small">Things I've already tried:</DIV><OL><LI>From <A href="https://community.cloudera.com/t5/Support-Questions/How-to-Configure-Ranger-and-Usersync-for-LDAP-SSL-and/m-p/95022" target="_self">this</A> link, I tried adding -Djavax.net.ssl.trustStore=/<path to the cacert> in ranger-usersync-services.sh file.</LI><LI>From <A href="https://community.cloudera.com/t5/Support-Questions/Ranger-usersync-service-not-able-to-sync-LDAP-users-and/td-p/228612" target="_self">this</A> link, I've tried adding ranger.usersync.sink.impl.class property in my config.</LI><LI>Experimented with User search/Group Search settings.</LI></OL><P>Kindly add your suggestions.</P><P> </P><P>Thanks,</P><P>Megh</P></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV> Sat, 10 Apr 2021 09:39:11 GMT vidanimegh 2021-04-10T09:39:11Z