Created 10-31-2017 03:55 AM
unix ldapsearch workfine ,but ranger ldaptool is failing
below ldapsearch works fine :
ldapsearch -h free-ipa-dev-01.uat.txdc.datastax.com -x -b "dc=txdc,dc=datastax,dc=com" -W hadoopadmin
but ranger ldaptool is failing :
[root@dev-rng-001 ~]# cd /usr/hdp/current/ranger-usersync/ldaptool
[root@dev-rng-001 ldaptool]# ./run.sh -d users
Ldap url [ldap://ldap.example.com:389]: ldaps://free-ipa-dev-01.uat.txdc.datastax.com:636
Bind DN [cn=admin,ou=users,dc=example,dc=com]: hadoopadmin
Bind Password:
User Search Base [ou=users,dc=example,dc=com]: dc=txdc,dc=datastax,dc=com
User Search Filter [cn=user1]: cn=*
Reading ldap properties from input.properties
ERROR: Failed to perfom ldap bind. Please verify values for ranger.usersync.ldap.binddn and ranger.usersync.ldap.ldapbindpassword
javax.naming.CommunicationException: simple bind failed: free-ipa-dev-01.uat.txdc.datastax.com:636 [Root exception is javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
Can you please help
Regards
JJ
Created 10-31-2017 06:49 AM
This is due to the SSL trust between LDAP server and the Ranger Host.
for this, can you please import the LDAP certificate
echo | openssl s_client -connect free-ipa-dev-01.uat.txdc.datastax.com:636 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/ldaps.pem
once after the file extracted (/tmp/ldaps.pem), import into the trust store of the user sync process.
keytool -import -alias "ldapserver" -file /tmp/ldaps.pem -keystore {value for your ranegr.usersync.truststore.file(jks)} -storepass <changeit or other password you sepecifid>
then redo the test. that should fix the problem if its the issue with SSL.
alternatively for testing "purpose" you can use non-ssl port on IPA server i.e "ldap://free-ipa-dev-01.uat.txdc.datastax.com:386"
Hope this helps !!
Created 10-31-2017 03:09 PM
Hi Raju,
I tried both of your options . Still it did not work. Having problem only with ranger ldaptool.
Unix level ldapsearch utility works fine.
Regards
JJ
Created 10-31-2017 05:52 PM
Couple of things I noticed from the description:
1. ldaptool currently doesn't support ldaps
2. binddn used by ldaptool should be the distinguished name (generally the whole dn like cn=admin,ou=users,dc=example,dc=com)
3. In the ldapsearch that you posted, I don't see the "-D" (bindn) option in which case you are using anonymous bind. If this is not what you want to use, can you try the following ldapsearch command:
>> ldapsearch -h free-ipa-dev-01.uat.txdc.datastax.com -x -D "<full dn of bind user>"-b "dc=txdc,dc=datastax,dc=com" -W
enter password of binddn user when prompted.
4. ldaptool doesn't support anonymous bind
Hope this helps.
Thanks
Sailaja.