Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Check out our newest addition to the community, the Cloudera Data Analytics (CDA) group hub.

Configuration of LDAP & SSL with IMPALA

Labels:
kmeansServiceNw
New Contributor

Created on ‎01-25-2017 03:33 PM - edited ‎09-16-2022 03:57 AM

I am trying to enable LDAP integration in impala but it doesnt seem to be working.  The cluster has Sentry and Kerebos enabled.  I am playing off of a QuickStartVM.  I run impala via "impala-shell --ssl".  I am expect to see Impala prompt me for a user name or password but instead I get errors.  These are the errors I am seeing:

CONSOLE:

[cloudera@quickstart impalad]$ impala-shell --ssl
Starting Impala Shell without Kerberos authentication
SSL is enabled. Impala server certificates will NOT be verified (set --ca_cert to change)
Error connecting: TTransportException, Could not connect to quickstart.cloudera:21000
Kerberos ticket found in the credentials cache, retrying the connection with a secure transport.
Error connecting: TTransportException, Could not connect to quickstart.cloudera:21000

IMPALA LOGS:
I0125 15:27:00.196347 1696 authentication.cc:422] Successfully authenticated principal "impala/quickstart.cloudera@CLOUDERA" on an internal connection
I0125 15:27:00.334786 7069 simple-scheduler.cc:332] Registering local backend with statestore
I0125 15:27:20.983526 1785 thrift-util.cc:109] TThreadPoolServer: TServerTransport died on accept: invalid sasl status
I0125 15:27:20.987000 1785 thrift-util.cc:109] TThreadPoolServer: TServerTransport died on accept: invalid sasl status

SETTINGS I have set in CM:

Impala Daemon Command Line Arguement Advanced Configuration Snippet:
--enable_ldap_auth
--ldap_uri=ldaps://ldap.abc.XXX.com:636
--ldap_bind_pattern="uid=#UID,ou=people,dc=XXX,dc=com"
--ldap_ca_certificate="/home/cloudera/ca_root_cert.ca"

I couldnt make too much sense of all the configurations.  I feel as if i am simply missing a configuration parameter.  Any help would be much appreciated!


1,989 Views
0 Kudos
2 REPLIES 2

HenryR
Rising Star

Created ‎01-25-2017 03:36 PM

You have to give the shell the -l option to tell it to try and use LDAP. Impala and the shell do not try to negotiate the authentication mechanism, instead the shell needs to be explicitly told what to try and use.

 

You may also need to -u option to provide the username to authenticate with.

1,988 Views
0 Kudos

kmeansServiceNw
New Contributor

Created ‎01-26-2017 11:48 AM

I changed my impala-shell command to: impala-shell -l -u "kevin.means" --auth_creds_ok_in_clear.  It now prompts me for a password but it doesnt seem to be authenticating correctly.


Inside the impala logs i read this:
W0125 17:03:07.835916 1785 authentication.cc:252] LDAP authentication failure for "uid=kevin.means,ou=people,dc=xxx,dc=com" : Invalid DN syntax

Although the bind pattern I specified appears to be correct. Would an incorrect Impalad bind pattern cause this? 

1,959 Views
0 Kudos
Take a Tour of the Community
Don't have an account?
Register
Your experience may be limited. Sign in to explore more.
Announcements
What's New @ Cloudera
Cloudera Operational Database (COD) UI supports creating a smaller cluster using a predefined Data Lake template
What's New @ Cloudera
Cloudera Operational Database (COD) supports scaling up the clusters vertically
Product Announcements
CDP Public Cloud: April 2023 Release Summary
What's New @ Cloudera
Cloudera Machine Learning launches "Add Data" feature to simplify data ingestion
What's New @ Cloudera
Simplify Data Access with Custom Connection Support in CML
View More Announcements