Support Questions

Find answers, ask questions, and share your expertise

ERROR: Failed to perfom ldap bind. Please verify values for ranger.usersync.ldap.binddn and ranger.usersync.ldap.ldapbindpassword

avatar
Contributor

unix ldapsearch workfine ,but ranger ldaptool is failing

below ldapsearch works fine :

ldapsearch -h free-ipa-dev-01.uat.txdc.datastax.com -x -b "dc=txdc,dc=datastax,dc=com" -W hadoopadmin

but ranger ldaptool is failing :

[root@dev-rng-001 ~]# cd /usr/hdp/current/ranger-usersync/ldaptool

[root@dev-rng-001 ldaptool]# ./run.sh -d users

Ldap url [ldap://ldap.example.com:389]: ldaps://free-ipa-dev-01.uat.txdc.datastax.com:636

Bind DN [cn=admin,ou=users,dc=example,dc=com]: hadoopadmin

Bind Password:

User Search Base [ou=users,dc=example,dc=com]: dc=txdc,dc=datastax,dc=com

User Search Filter [cn=user1]: cn=*

Reading ldap properties from input.properties

ERROR: Failed to perfom ldap bind. Please verify values for ranger.usersync.ldap.binddn and ranger.usersync.ldap.ldapbindpassword

javax.naming.CommunicationException: simple bind failed: free-ipa-dev-01.uat.txdc.datastax.com:636 [Root exception is javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]

Can you please help

Regards

JJ

3 REPLIES 3

avatar
Super Collaborator

Hi @Jacqualin jasmin,

This is due to the SSL trust between LDAP server and the Ranger Host.

for this, can you please import the LDAP certificate

echo | openssl s_client -connect free-ipa-dev-01.uat.txdc.datastax.com:636 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/ldaps.pem

once after the file extracted (/tmp/ldaps.pem), import into the trust store of the user sync process.

keytool -import -alias "ldapserver" -file /tmp/ldaps.pem -keystore {value for your ranegr.usersync.truststore.file(jks)} -storepass <changeit or other password you sepecifid> 

then redo the test. that should fix the problem if its the issue with SSL.

alternatively for testing "purpose" you can use non-ssl port on IPA server i.e "ldap://free-ipa-dev-01.uat.txdc.datastax.com:386"

Hope this helps !!

avatar
Contributor

Hi Raju,

I tried both of your options . Still it did not work. Having problem only with ranger ldaptool.

Unix level ldapsearch utility works fine.

Regards

JJ

avatar
Expert Contributor

@Jacqualin jasmin

Couple of things I noticed from the description:

1. ldaptool currently doesn't support ldaps

2. binddn used by ldaptool should be the distinguished name (generally the whole dn like cn=admin,ou=users,dc=example,dc=com)

3. In the ldapsearch that you posted, I don't see the "-D" (bindn) option in which case you are using anonymous bind. If this is not what you want to use, can you try the following ldapsearch command:

>> ldapsearch -h free-ipa-dev-01.uat.txdc.datastax.com -x -D "<full dn of bind user>"-b "dc=txdc,dc=datastax,dc=com" -W

enter password of binddn user when prompted.

4. ldaptool doesn't support anonymous bind

Hope this helps.

Thanks

Sailaja.