Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Ambari LDAP Sync worked but login does not

Ambari LDAP Sync worked but login does not

New Contributor

We are using Ambari 2.5.0.3. Our LDAP Setup configs are as below:

Primary URL* {host:port} (host:3269): my.domain.com:3269

Secondary URL {host:port} :

Use SSL* [true/false] (true): true

User object class* (user): user

User name attribute* (sAMAccountName): sAMAccountName

Group object class* (group): group

Group name attribute* (memberof, ismemberof): memberof, ismemberof

Group member attribute* (member): member

Distinguished name attribute* (distinguishedName):distinguishedName

Base DN* : DC=my,DC=server,DC=com

Referral method [follow/ignore] (follow): follow

Bind anonymously* [true/false] (false): false

Handling behavior for username collisions [convert/skip] for LDAP sync* (skip): skip

Manager DN*: CN=bind_user,OU=Users,DC=my,DC=server,DC=com

Enter Manager Password* :

Re-enter password:

Do you want to provide custom TrustStore for Ambari [y/n] (y)?n

The TrustStore is already configured:

ssl.trustStore.type = jks

ssl.trustStore.path = /path/to/certs/

ssl.trustStore.password = xxxxxxx

After this when I restart the ambari-server and sync-ldap, I get all the users. But when I try to login, I get "Invalid Username/Password error". I turned on the debug logging, and I see the below messages, which says Found DN with my user name and then says invalid user. Ranger is working fine with the same user from ldap:

28 Apr 2017 20:51:57,635 DEBUG [ambari-client-thread-35] FilterChainProxy:337 - /api/v1/users/makaur10?fields=*,privileges/PrivilegeInfo/cluster_name,privileges/PrivilegeInfo/permission_name&_=1493430718712 at position 1 of 10 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
28 Apr 2017 20:51:57,635 DEBUG [ambari-client-thread-35] HttpSessionSecurityContextRepository:127 - No HttpSession currently exists
28 Apr 2017 20:51:57,635 DEBUG [ambari-client-thread-35] HttpSessionSecurityContextRepository:85 - No SecurityContext was available from the HttpSession: null. A new one will be created.
28 Apr 2017 20:51:57,635 DEBUG [ambari-client-thread-35] FilterChainProxy:337 - /api/v1/users/makaur10?fields=*,privileges/PrivilegeInfo/cluster_name,privileges/PrivilegeInfo/permission_name&_=1493430718712 at position 2 of 10 in additional filter chain; firing Filter: 'AmbariUserAuthorizationFilter'
28 Apr 2017 20:51:57,635 DEBUG [ambari-client-thread-35] FilterChainProxy:337 - /api/v1/users/makaur10?fields=*,privileges/PrivilegeInfo/cluster_name,privileges/PrivilegeInfo/permission_name&_=1493430718712 at position 3 of 10 in additional filter chain; firing Filter: 'AmbariDelegatingAuthenticationFilter'
28 Apr 2017 20:51:57,635 DEBUG [ambari-client-thread-35] AmbariDelegatingAuthenticationFilter:117 - Using authentication filter org.apache.ambari.server.security.authentication.AmbariBasicAuthenticationFilter since it applies
28 Apr 2017 20:51:57,635 DEBUG [ambari-client-thread-35] AmbariBasicAuthenticationFilter:161 - Basic Authentication Authorization header found for user 'makaur10'
28 Apr 2017 20:51:57,636 DEBUG [ambari-client-thread-35] ProviderManager:152 - Authentication attempt using org.apache.ambari.server.security.authorization.AmbariLocalUserProvider
28 Apr 2017 20:51:57,641 DEBUG [ambari-client-thread-35] ProviderManager:152 - Authentication attempt using org.apache.ambari.server.security.authorization.AmbariPamAuthenticationProvider
28 Apr 2017 20:51:57,641 DEBUG [ambari-client-thread-35] ProviderManager:152 - Authentication attempt using org.apache.ambari.server.security.authorization.AmbariLdapAuthenticationProvider
28 Apr 2017 20:51:57,642 DEBUG [ambari-client-thread-35] Configuration:3878 - Reading password from file /etc/ambari-server/conf/ldap-password.dat
28 Apr 2017 20:51:57,642 DEBUG [ambari-client-thread-35] AbstractContextSource:418 - AuthenticationSource not set - using default implementation
28 Apr 2017 20:51:57,642 DEBUG [ambari-client-thread-35] AbstractContextSource:441 - Not using LDAP pooling
28 Apr 2017 20:51:57,642 DEBUG [ambari-client-thread-35] AbstractContextSource:462 - Trying provider Urls: ldaps://my.server.com:3269/DC=my,DC=server,DC=com
28 Apr 2017 20:51:57,642  INFO [ambari-client-thread-35] FilterBasedLdapUserSearch:95 - SearchBase not set. Searches will be performed from the root: dc=my,dc=server,dc=com
28 Apr 2017 20:51:57,643 DEBUG [ambari-client-thread-35] LdapAuthenticationProvider:67 - Processing authentication request for user: makaur10
28 Apr 2017 20:51:57,643 DEBUG [ambari-client-thread-35] FilterBasedLdapUserSearch:115 - Searching for user 'makaur10', with user search [ searchFilter: '(&(sAMAccountName={0})(objectClass=person))', searchBase: '', scope: subtree, searchTimeLimit: 0, derefLinkFlag: false ]
28 Apr 2017 20:51:57,717 DEBUG [ambari-client-thread-35] AbstractContextSource:349 - Got Ldap context on server 'ldaps://my.server.com:3269/DC=my,DC=server,DC=com'
28 Apr 2017 20:51:57,719 DEBUG [ambari-client-thread-35] SpringSecurityLdapTemplate:337 - Searching for entry under DN 'dc=my,dc=server,dc=com', base = '', filter = '(&(sAMAccountName={0})(objectClass=person))'
28 Apr 2017 20:51:57,720 DEBUG [ambari-client-thread-35] SpringSecurityLdapTemplate:350 - Found DN: CN=makaur10,OU=Technology,OU=Users,OU=Corp
28 Apr 2017 20:51:57,780 DEBUG [ambari-client-thread-35] AbstractContextSource:349 - Got Ldap context on server 'ldaps://my.server.com:3269/DC=my,DC=server,DC=com'
28 Apr 2017 20:51:57,781 DEBUG [ambari-client-thread-35] Configuration:3878 - Reading password from file /etc/ambari-server/conf/ldap-password.dat
28 Apr 2017 20:51:57,842 DEBUG [ambari-client-thread-35] AbstractContextSource:349 - Got Ldap context on server 'ldaps://my.server.com:3269/DC=my,DC=server,DC=com'
28 Apr 2017 20:51:57,843 DEBUG [ambari-client-thread-35] DefaultAuthenticationEventPublisher:94 - No event was found for the exception org.apache.ambari.server.security.authorization.InvalidUsernamePasswordCombinationException
28 Apr 2017 20:51:57,843 DEBUG [ambari-client-thread-35] AmbariBasicAuthenticationFilter:185 - Authentication request for failed: org.apache.ambari.server.security.authorization.InvalidUsernamePasswordCombinationException: Unable to sign in. Invalid username/password combination.
28 Apr 2017 20:51:57,843 DEBUG [ambari-client-thread-35] HttpSessionSecurityContextRepository:269 - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
28 Apr 2017 20:51:57,844 DEBUG [ambari-client-thread-35] SecurityContextPersistenceFilter:97 - SecurityContextHolder now cleared, as request processing completed
2 REPLIES 2

Re: Ambari LDAP Sync worked but login does not

Contributor

@Manmeet Kaur Did you find the solution? I'm facing the same issue with this user also working for Ranger login.

Highlighted

Re: Ambari LDAP Sync worked but login does not

Mentor

@Manmeet Kaur

Because you are using LDAPS (SSL) you will need to import the certificate.

Setup LDAPS

Currently Ambari can use only 1 custom truststore at a time, therefore it is needed to merge the certificates into 1 truststore. Get the LDAPS certificate, if you do not have the certificate locally e.g. for self signed, you can download it:

$ openssl s_client -connect myurl.com:636 -showcerts </dev/null 2>/dev/null | openssl x509 -outform PEM > ldapserver.pem 

Create a JKS keystore from the https.keystore.p12 keystore: (in the end, HTTPS/LDAPS will use https.keystore.jks)

$ keytool -importkeystore -srckeystore https.keystore.p12 -srcstoretype pkcs12 -destkeystore https.keystore.jks -deststoretype jks -deststorepass changeit 

Convert LDAPS certificate to DER format and Import LDAPS certificate to the truststore:

$ openssl x509 -outform der -in ldapserver.pem -out ldapserver.der
$ keytool -import -alias ldap -keystore https.keystore.jks -file ldapserver.der 

Run 'ambari-server setup-ldap' command, e.g.:

Setting up LDAP properties...
Primary URL* {host:port} : my.domain.com:636
Secondary URL :
Use SSL* [true/false] (true):
User object class* (person):
User name attribute* (uid):
Group object class* (posixGroup):
Group name attribute* (cn):
Group member attribute* (memberUid):
Base DN* : dc=apache,dc=org
Bind anonymously* [true/false] (false):   
Manager DN* : uid=hdfs,ou=people,ou=dev,dc=apache,dc=org
Enter Manager Password* : xxxxx
Re-enter password: xxxxx
Do you want to provide custom TrustStore for Ambari [y/n] (n)? y
TrustStore type [jks/jceks/pkcs12] (jks):
Path to TrustStore file :/var/lib/ambari-server/keys/https.keystore.jks
Password for TrustStore:
Re-enter password:
Save settings [y/n] (y)? y 

Add these properties to ambari.properties file:

client.api.ssl.keystore_name=https.keystore.jks
client.api.ssl.keystore_type=jks
client.api.ssl.truststore_name=https.keystore.jks
client.api.ssl.truststore_type=jks 

(Optional) instead of the steps above, JDK default keystore can be used here as a truststore: (same for https certificate)

$ openssl x509 -in ldapserver.pem -out ldapserver.crt /usr/jdk64/jdk1.7.0_45/bin/keytool -import -trustcacerts -file ldapserver.crt -keystore /usr/jdk64/jdk1.7.0_45/jre/lib/security/cacerts 

Finally, run:

$ ambari-server restart

Hope that helps