Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

AD user sync issue

AD user sync issue

Contributor

Hi, I m getting below user sync error while integrating AD through Ambari. Please assist resolving the issue.Thanks in advance.

AD Authentication Failed:org.springframework.security.authentication.BadCredentialsException: Bad credentials

atorg.springframework.security.ldap.authentication.LdapAuthenticationProvider.doAuthentication(LdapAuthenticationProvider.java:185)atorg.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider.authenticate(AbstractLdapAuthenticationProvider.java:61)atorg.apache.ranger.security.handler.RangerAuthenticationProvider.getADBindAuthentication(RangerAuthenticationProvider.java:405

Unable to load native-hadoop library for your platform... using builtin-java classes where applicable INFO UnixAuthenticationService [main] - Enabling Protocol: [SSLv2Hello]

INFO UnixAuthenticationService [main] - Enabling Protocol: [TLSv1]

INFO UnixAuthenticationService [main] - Enabling Protocol: [TLSv1.1]

INFO UnixAuthenticationService [main] - Enabling Protocol: [TLSv1.2]

ERROR UserGroupSync [UnixUserSyncThread] - Failed to initialize UserGroup source/sink. Will retry after 3600000 milliseconds. Error details: com.sun.jersey.api.client.UniformInterfaceException: GET Unauthorized at com.sun.jersey.api.client.WebResource.handle(WebResource.java:686) at com.sun.jersey.api.client.WebResource.access$200(WebResource.java:74) at com.sun.jersey.api.client.WebResource$Builder.get(WebResource.java:507)uster.

4 REPLIES 4

Re: AD user sync issue

Contributor

Hi Samant,

Could you please share HDP version as well, it will be helpful.
Meantime could you disable Enable Group Search First and restart ranger usersync. See if that helps.
Ambari > Ranger > Config > Ranger User info > Group Config > at last Group Search First {disable it}

Re: AD user sync issue

Contributor

Thanks a lot @Pravin Bhagade for responding to my query. I observed that I missed the first line of the error while pasting it on the portal.We are getting "AD Authentication Failed:org.springframework.security.authentication.BadCredentialsException: Bad credentials" error.

We have checked the credential for bind user & credentials are absolutely correct.Apparently, Bind user is not able to access the AD domain server through ranger. we concluded this based on response from AD team who told us that there is no logs for bind user for bad credentials.If particular user enters bad credentials n access the AD server then AD team gets the logs for that particular user.we are using HDP-2.4.3.0. Please shed some light on this issue.

Thanks a lot!!

Re: AD user sync issue

Contributor

Can you verify ldapsearch cmd works successfully from Ranger server using same bind credentials used in Ranger Usersync conf.
If it works, than you can refer below link

HDP-2.4.3.0 might not have ldap check tool. Check under ls /usr/hdp/current/ranger-usersync/ldaptool

LDAP Connection Check Tool

https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.1/bk_command-line-installation/content/using_...

Highlighted

Re: AD user sync issue

Expert Contributor
@Samant Thakur

Looks like the logs you posted are from two different log files.

>>>>>>>>>>>>>

AD Authentication Failed:org.springframework.security.authentication.BadCredentialsException: Bad credentials

atorg.springframework.security.ldap.authentication.LdapAuthenticationProvider.doAuthentication(LdapAuthenticationProvider.java:185)atorg.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider.authenticate(AbstractLdapAuthenticationProvider.java:61)atorg.apache.ranger.security.handler.RangerAuthenticationProvider.getADBindAuthentication(RangerAuthenticationProvider.java:405

>>>>>>>>>>>>>>

Can you please verify the configuration under Ranger --> Configs --> Advanced --> ADSettings?

>>>>>>>>>>>>>>

ERROR UserGroupSync [UnixUserSyncThread] - Failed to initialize UserGroup source/sink. Will retry after 3600000 milliseconds. Error details: com.sun.jersey.api.client.UniformInterfaceException: GET Unauthorized at com.sun.jersey.api.client.WebResource.handle(WebResource.java:686) at com.sun.jersey.api.client.WebResource.access$200(WebResource.java:74) at com.sun.jersey.api.client.WebResource$Builder.get(WebResource.java:507)

>>>>>>>>>>>>>>>>>>

This is related to usersync and the issue here is usersync failed to communicate with ranger admin. usersync module uses "rangerusersync" user to talk to ranger admin. Can you please confirm is you have changed the password for this user?

Thanks,

Sailaja.

Don't have an account?
Coming from Hortonworks? Activate your account here