HiverServer2 connectivity with LDAPS

sushil61 — Mon, 08 Feb 2016 04:42:20 GMT

HDP-2.3.2.0-2950, Ambari 2.1, Hive: 1.2.1.2.3

I am facing problem in connecting beeline with secured ldap. Here are my testing, setups and errors:

Secured LDAP Conenctivity Testing (working):

ping -c1 xxxx.net

telnet xxxx.net 636

Setup:

/etc/openldap/ldap.conf : TLS_CACERTDIR /usr/jdk64/jdk1.7.0_67/jre/lib/security

Certifictae Type: CA certificate

keytool -import -trustcacerts -alias xxxx -storepass changeit -noprompt -file 6a386909.0 -keystore /usr/jdk64/jdk1.7.0_67/jre/lib/security/cacerts  (Certificate imported)

Works Fine:

ldapsearch -x -W -D 'uid=abc@xx.com,ou=People,o=xx.com' -H ldaps://xxxx.net:636 -b o=xx.com "(uid=abc@xx.com)"

HDFS env Setup:

export HADOOP_OPTS="-Djava_net_preferIPv4Stack=true
-Djavax.net.ssl.trustStore=/usr/jdk64/jdk1.7.0_67/jre/lib/security/cacerts 
-Djavax.net.ssl.trustStorePassword=changeit ${HADOOP_OPTS}"

Hive Advance Setup:

hive.server2.authentication.ldap.baseDN : CN=%s,uid=%s,OU=People,O=xx.com 
hive.server2.authentication.ldap.url : ldaps://xxxx.net

beeline> !connect jdbc:hive2://<myhiveserver2-host>:10000

Connecting to jdbc:hive2://<myhiveserver2-host>:10000

Enter username for jdbc:hive2://<myhiveserver2-host>:10000: abc@xx.com (TRIED with just abc also)

Enter password for jdbc:hive2://<myhiveserver2-host>:10000: *********

Error: Could not open client transport with JDBC Uri: jdbc:hive2://<myhiveserver2-host>:10000: Peer indicated failure: Error validating the login (state=08S01,code=0) 0: jdbc:hive2://<myhiveserver2-host>:100 (closed)>

hiveserver2.log

------------------
2016-02-07 20:06:07,764 ERROR [HiveServer2-Handler-Pool: Thread-47]: transport.TSaslTransport (TSaslTransport.java:open(315)) - SASL negotiation failure
javax.security.sasl.SaslException: Error validating the login [Caused by javax.security.sasl.AuthenticationException: Error validating LDAP user [Caused by javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]]]
        at org.apache.hive.service.auth.PlainSaslServer.evaluateResponse(PlainSaslServer.java:109)
        at org.apache.thrift.transport.TSaslTransport$SaslParticipant.evaluateChallengeOrResponse(TSaslTransport.java:539)
        at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:283)
        at org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41)
        at org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216)
        at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:268)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
        at java.lang.Thread.run(Thread.java:745)
Caused by: javax.security.sasl.AuthenticationException: Error validating LDAP user [Caused by javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]]
        at org.apache.hive.service.auth.LdapAuthenticationProviderImpl.Authenticate(LdapAuthenticationProviderImpl.java:77)
        at org.apache.hive.service.auth.PlainSaslHelper$PlainServerCallbackHandler.handle(PlainSaslHelper.java:106)
        at org.apache.hive.service.auth.PlainSaslServer.evaluateResponse(PlainSaslServer.java:102)
        ... 8 more

Re: HiverServer2 connectivity with LDAPS

nsabharwal — Mon, 08 Feb 2016 09:58:53 GMT

@Sushil Saxena

[LDAP: error code 49 - Invalid Credentials]]] -- See this

TSaslTransport.java:open(315)) - SASL negotiation failure javax.security.sasl.SaslException: Error validating the login [Caused by javax.security.sasl.AuthenticationException: Error validating LDAP user [Caused by javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]]]

Re: HiverServer2 connectivity with LDAPS

sushil61 — Tue, 09 Feb 2016 00:53:21 GMT

It would be more helpful, if I should know on what reasons this errors comes, so that I can pin point the problem. Or please give me some steps to debug and solution.

Re: HiverServer2 connectivity with LDAPS

amcbarnett — Tue, 09 Feb 2016 03:03:18 GMT

@Sushil Saxena

Your base DN should be(assuming it is NOT AD)

hive.server2.authentication.ldap.baseDN: OU=People,O=xx.com

Ensure that you go to the host in Ambari (not Dashboard) and restart HiveServer2 from the host list.

Re: HiverServer2 connectivity with LDAPS

cakkinep — Thu, 11 Feb 2016 01:58:45 GMT

Are you able to find a solution to this problem yet?

question Re: HiverServer2 connectivity with LDAPS in Archives of Support Questions (Read Only)

HiverServer2 connectivity with LDAPS

Re: HiverServer2 connectivity with LDAPS

Re: HiverServer2 connectivity with LDAPS

Re: HiverServer2 connectivity with LDAPS

Re: HiverServer2 connectivity with LDAPS