Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

Ambari LDAP Sync worked but login does not

Labels:
manmeet_kaur
New Contributor

Created ‎04-29-2017 03:52 AM

We are using Ambari 2.5.0.3. Our LDAP Setup configs are as below:

Primary URL* {host:port} (host:3269): my.domain.com:3269

Secondary URL {host:port} :

Use SSL* [true/false] (true): true

User object class* (user): user

User name attribute* (sAMAccountName): sAMAccountName

Group object class* (group): group

Group name attribute* (memberof, ismemberof): memberof, ismemberof

Group member attribute* (member): member

Distinguished name attribute* (distinguishedName):distinguishedName

Base DN* : DC=my,DC=server,DC=com

Referral method [follow/ignore] (follow): follow

Bind anonymously* [true/false] (false): false

Handling behavior for username collisions [convert/skip] for LDAP sync* (skip): skip

Manager DN*: CN=bind_user,OU=Users,DC=my,DC=server,DC=com

Enter Manager Password* :

Re-enter password:

Do you want to provide custom TrustStore for Ambari [y/n] (y)?n

The TrustStore is already configured:

ssl.trustStore.type = jks

ssl.trustStore.path = /path/to/certs/

ssl.trustStore.password = xxxxxxx

After this when I restart the ambari-server and sync-ldap, I get all the users. But when I try to login, I get "Invalid Username/Password error". I turned on the debug logging, and I see the below messages, which says Found DN with my user name and then says invalid user. Ranger is working fine with the same user from ldap:

28 Apr 2017 20:51:57,635 DEBUG [ambari-client-thread-35] FilterChainProxy:337 - /api/v1/users/makaur10?fields=*,privileges/PrivilegeInfo/cluster_name,privileges/PrivilegeInfo/permission_name&_=1493430718712 at position 1 of 10 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
28 Apr 2017 20:51:57,635 DEBUG [ambari-client-thread-35] HttpSessionSecurityContextRepository:127 - No HttpSession currently exists
28 Apr 2017 20:51:57,635 DEBUG [ambari-client-thread-35] HttpSessionSecurityContextRepository:85 - No SecurityContext was available from the HttpSession: null. A new one will be created.
28 Apr 2017 20:51:57,635 DEBUG [ambari-client-thread-35] FilterChainProxy:337 - /api/v1/users/makaur10?fields=*,privileges/PrivilegeInfo/cluster_name,privileges/PrivilegeInfo/permission_name&_=1493430718712 at position 2 of 10 in additional filter chain; firing Filter: 'AmbariUserAuthorizationFilter'
28 Apr 2017 20:51:57,635 DEBUG [ambari-client-thread-35] FilterChainProxy:337 - /api/v1/users/makaur10?fields=*,privileges/PrivilegeInfo/cluster_name,privileges/PrivilegeInfo/permission_name&_=1493430718712 at position 3 of 10 in additional filter chain; firing Filter: 'AmbariDelegatingAuthenticationFilter'
28 Apr 2017 20:51:57,635 DEBUG [ambari-client-thread-35] AmbariDelegatingAuthenticationFilter:117 - Using authentication filter org.apache.ambari.server.security.authentication.AmbariBasicAuthenticationFilter since it applies
28 Apr 2017 20:51:57,635 DEBUG [ambari-client-thread-35] AmbariBasicAuthenticationFilter:161 - Basic Authentication Authorization header found for user 'makaur10'
28 Apr 2017 20:51:57,636 DEBUG [ambari-client-thread-35] ProviderManager:152 - Authentication attempt using org.apache.ambari.server.security.authorization.AmbariLocalUserProvider
28 Apr 2017 20:51:57,641 DEBUG [ambari-client-thread-35] ProviderManager:152 - Authentication attempt using org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProvider
28 Apr 2017 20:51:57,641 DEBUG [ambari-client-thread-35] ProviderManager:152 - Authentication attempt using org.apache.ambari.server.security.authorization.AmbariLdapAuthenticationProvider
28 Apr 2017 20:51:57,642 DEBUG [ambari-client-thread-35] Configuration:3878 - Reading password from file /etc/ambari-server/conf/ldap-password.dat
28 Apr 2017 20:51:57,642 DEBUG [ambari-client-thread-35] AbstractContextSource:418 - AuthenticationSource not set - using default implementation
28 Apr 2017 20:51:57,642 DEBUG [ambari-client-thread-35] AbstractContextSource:441 - Not using LDAP pooling
28 Apr 2017 20:51:57,642 DEBUG [ambari-client-thread-35] AbstractContextSource:462 - Trying provider Urls: ldaps://my.server.com:3269/DC=my,DC=server,DC=com
28 Apr 2017 20:51:57,642  INFO [ambari-client-thread-35] FilterBasedLdapUserSearch:95 - SearchBase not set. Searches will be performed from the root: dc=my,dc=server,dc=com
28 Apr 2017 20:51:57,643 DEBUG [ambari-client-thread-35] LdapAuthenticationProvider:67 - Processing authentication request for user: makaur10
28 Apr 2017 20:51:57,643 DEBUG [ambari-client-thread-35] FilterBasedLdapUserSearch:115 - Searching for user 'makaur10', with user search [ searchFilter: '(&(sAMAccountName={0})(objectClass=person))', searchBase: '', scope: subtree, searchTimeLimit: 0, derefLinkFlag: false ]
28 Apr 2017 20:51:57,717 DEBUG [ambari-client-thread-35] AbstractContextSource:349 - Got Ldap context on server 'ldaps://my.server.com:3269/DC=my,DC=server,DC=com'
28 Apr 2017 20:51:57,719 DEBUG [ambari-client-thread-35] SpringSecurityLdapTemplate:337 - Searching for entry under DN 'dc=my,dc=server,dc=com', base = '', filter = '(&(sAMAccountName={0})(objectClass=person))'
28 Apr 2017 20:51:57,720 DEBUG [ambari-client-thread-35] SpringSecurityLdapTemplate:350 - Found DN: CN=makaur10,OU=Technology,OU=Users,OU=Corp
28 Apr 2017 20:51:57,780 DEBUG [ambari-client-thread-35] AbstractContextSource:349 - Got Ldap context on server 'ldaps://my.server.com:3269/DC=my,DC=server,DC=com'
28 Apr 2017 20:51:57,781 DEBUG [ambari-client-thread-35] Configuration:3878 - Reading password from file /etc/ambari-server/conf/ldap-password.dat
28 Apr 2017 20:51:57,842 DEBUG [ambari-client-thread-35] AbstractContextSource:349 - Got Ldap context on server 'ldaps://my.server.com:3269/DC=my,DC=server,DC=com'
28 Apr 2017 20:51:57,843 DEBUG [ambari-client-thread-35] DefaultAuthenticationEventPublisher:94 - No event was found for the exception org.apache.ambari.server.security.authorization.InvalidUsernamePasswordCombinationException
28 Apr 2017 20:51:57,843 DEBUG [ambari-client-thread-35] AmbariBasicAuthenticationFilter:185 - Authentication request for failed: org.apache.ambari.server.security.authorization.InvalidUsernamePasswordCombinationException: Unable to sign in. Invalid username/password combination.
28 Apr 2017 20:51:57,843 DEBUG [ambari-client-thread-35] HttpSessionSecurityContextRepository:269 - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
28 Apr 2017 20:51:57,844 DEBUG [ambari-client-thread-35] SecurityContextPersistenceFilter:97 - SecurityContextHolder now cleared, as request processing completed
1,825 Views
0 Kudos
2 REPLIES 2

josh_nicholson
Contributor

Created ‎03-21-2018 07:15 PM

@Manmeet Kaur Did you find the solution? I'm facing the same issue with this user also working for Ranger login.

1,150 Views
0 Kudos

Shelton
Mentor

Created ‎03-21-2018 08:30 PM

@Manmeet Kaur

Because you are using LDAPS (SSL) you will need to import the certificate.

Setup LDAPS

Currently Ambari can use only 1 custom truststore at a time, therefore it is needed to merge the certificates into 1 truststore. Get the LDAPS certificate, if you do not have the certificate locally e.g. for self signed, you can download it: 

$ openssl s_client -connect myurl.com:636 -showcerts </dev/null 2>/dev/null | openssl x509 -outform PEM > ldapserver.pem

Create a JKS keystore from the https.keystore.p12 keystore: (in the end, HTTPS/LDAPS will use https.keystore.jks) 

$ keytool -importkeystore -srckeystore https.keystore.p12 -srcstoretype pkcs12 -destkeystore https.keystore.jks -deststoretype jks -deststorepass changeit

Convert LDAPS certificate to DER format and Import LDAPS certificate to the truststore: 

$ openssl x509 -outform der -in ldapserver.pem -out ldapserver.der
$ keytool -import -alias ldap -keystore https.keystore.jks -file ldapserver.der

Run 'ambari-server setup-ldap' command, e.g.: 

Setting up LDAP properties...
Primary URL* {host:port} : my.domain.com:636
Secondary URL :
Use SSL* [true/false] (true):
User object class* (person):
User name attribute* (uid):
Group object class* (posixGroup):
Group name attribute* (cn):
Group member attribute* (memberUid):
Base DN* : dc=apache,dc=org
Bind anonymously* [true/false] (false):   
Manager DN* : uid=hdfs,ou=people,ou=dev,dc=apache,dc=org
Enter Manager Password* : xxxxx
Re-enter password: xxxxx
Do you want to provide custom TrustStore for Ambari [y/n] (n)? y
TrustStore type [jks/jceks/pkcs12] (jks):
Path to TrustStore file :/var/lib/ambari-server/keys/https.keystore.jks
Password for TrustStore:
Re-enter password:
Save settings [y/n] (y)? y

Add these properties to ambari.properties file: 

client.api.ssl.keystore_name=https.keystore.jks
client.api.ssl.keystore_type=jks
client.api.ssl.truststore_name=https.keystore.jks
client.api.ssl.truststore_type=jks

(Optional) instead of the steps above, JDK default keystore can be used here as a truststore: (same for https certificate) 

$ openssl x509 -in ldapserver.pem -out ldapserver.crt /usr/jdk64/jdk1.7.0_45/bin/keytool -import -trustcacerts -file ldapserver.crt -keystore /usr/jdk64/jdk1.7.0_45/jre/lib/security/cacerts

Finally, run: 

$ ambari-server restart

Hope that helps

1,150 Views
0 Kudos
Take a Tour of the Community
Don't have an account?
Register
Your experience may be limited. Sign in to explore more.
Announcements
Community Announcements
March 2023 Community Highlights
What's New @ Cloudera
Cloudera DataFlow Designer for self-service data flow development is now generally available to all CDP Public Cloud customers
What's New @ Cloudera
Cloudera Operational Database (COD) UI provides the JWT configuration details to connect to your HBase client
What's New @ Cloudera
Cloudera Operational Database (COD) UI allows storage type selection when creating an operational database
What's New @ Cloudera
Release of Cloudera Streaming Analytics (CSA) 1.9.0 for CDP 7.1.7 SP2 & CDP 7.1.8
View More Announcements