Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Cannot log in with LDAP/AD user in Ranger UI

Highlighted

Cannot log in with LDAP/AD user in Ranger UI

Explorer

Hi all,

I would appreciate a feedback on this.

User ldap searchfilter is set to (uid={0})

HDP version is 2.5.3 and Ambari: 2.4.2

When login to Ranger UI by using LDAP user we get the following error:

2017-06-21 17:50:23,823 [http-bio-6080-exec-2] DEBUG org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter (AbstractAuthenticationProcessingFilter.java:189) - Request is to process authentication

2017-06-21 17:50:23,889 [http-bio-6080-exec-2] DEBUG org.apache.ranger.security.handler.RangerAuthenticationProvider (RangerAuthenticationProvider.java:260) - LDAP Authentication Failed:

org.springframework.ldap.InvalidSearchFilterException: Empty filter; nested exception is javax.naming.directory.InvalidSearchFilterException: Empty filter; remaining name ''

at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:135)

at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:319)

at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:259)

at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:606)

at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:524)

at org.springframework.security.ldap.SpringSecurityLdapTemplate.searchForSingleAttributeValues(SpringSecurityLdapTemplate.java:173)

at org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator.getGroupMembershipRoles(DefaultLdapAuthoritiesPopulator.java:215)

at org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator.getGrantedAuthorities(DefaultLdapAuthoritiesPopulator.java:185)

at org.springframework.security.ldap.authentication.LdapAuthenticationProvider.loadUserAuthorities(LdapAuthenticationProvider.java:197)

at org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider.authenticate(AbstractLdapAuthenticationProvider.java:63)

at org.apache.ranger.security.handler.RangerAuthenticationProvider.getLdapAuthentication(RangerAuthenticationProvider.java:252)

at org.apache.ranger.security.handler.RangerAuthenticationProvider.authenticate(RangerAuthenticationProvider.java:102)

at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)

at org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter.attemptAuthentication(UsernamePasswordAuthenticationFilter.java:94)

at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)

at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)

at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105)

at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)

at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)

at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)

at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)

at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)

at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)

at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)

at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)

at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505)

at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)

at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)

at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956)

at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)

at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:436)

at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1078)

at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625)

at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:318)

at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)

at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)

at java.lang.Thread.run(Thread.java:748)

Caused by: javax.naming.directory.InvalidSearchFilterException: Empty filter; remaining name ''

at com.sun.jndi.ldap.Filter.encodeFilterString(Filter.java:57)

at com.sun.jndi.ldap.LdapClient.search(LdapClient.java:546)

at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1985)

at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1844)

at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1769)

at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:392)

at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:358)

at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:341)

at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:267)

at org.springframework.ldap.core.LdapTemplate$4.executeSearch(LdapTemplate.java:253)

at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:293)

... 39 more

Regards,

Dino

3 REPLIES 3
Highlighted

Re: Cannot log in with LDAP/AD user in Ranger UI

What kind of authentication method is used - LDAP or AD ?

Based on that, please check the corresponding configs for user search filter, group search base, group search filter, base dn, user dn pattern.

Re: Cannot log in with LDAP/AD user in Ranger UI

Explorer

Hi,

Authentication method is LDAP, group search filter is {{ranger_ug_ldap_group_searchfilter}} and gets inherited, but the problem is that Group sync is not enabled. So this value was probably empty. So we changed it to cn=* and now instead of

javax.naming.directory.InvalidSearchFilterException: Empty filter; remaining name ''

We get the following:

javax.naming.NameNotFoundException: [LDAP: error code 32 - No Such Object]; remaining name ''

The logs are not that helpful.

Regards

Highlighted

Re: Cannot log in with LDAP/AD user in Ranger UI

Explorer

Another update:

After changing ranger.ldap.group.searchfilter and ranger.ldap.group.searchbase from ambari placeholders {{ranger_ug_ldap_group_searchfilter}} and {{ranger_ug_ldap_group_searchbase}} to actual values, the login started to work.

What I am puzzled is why is there reference of this in the documentation. Basically if you do not enable LDAP Group Sync for Ranger in Ambari, you need to set these values manually in order for Ranger UI authentication to work against LDAP users.

Am I right?

Regards,

Dino

Don't have an account?
Coming from Hortonworks? Activate your account here