Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Error while configuring AD usersync on HDP 2.4.3

Labels:
avatar
author-rank joshua_adeleke
Expert Contributor

Created ‎08-25-2017 08:10 AM

I keep encountering errors with usersync config on HDP 2.4.3. I am trying to sync users with AD and be able to log into Ranger Admin with the AD details.

25 Aug 2017 09:41:59 ERROR UserGroupSync [UnixUserSyncThread] - Failed to initialize UserGroup source/sink. Will retry after 3600000 milliseconds. Error details:
com.sun.jersey.api.client.UniformInterfaceException: GET http://domain:6080/service/xusers/groups/?pageSize=1000&startIndex=0 returned a response status of 401 Unauthorized
        at com.sun.jersey.api.client.WebResource.handle(WebResource.java:686)
        at com.sun.jersey.api.client.WebResource.access$200(WebResource.java:74)
        at com.sun.jersey.api.client.WebResource$Builder.get(WebResource.java:507)
        at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.buildGroupList(PolicyMgrUserGroupBuilder.java:358)
        at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.buildUserGroupInfo(PolicyMgrUserGroupBuilder.java:156)
        at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.init(PolicyMgrUserGroupBuilder.java:152)
        at org.apache.ranger.usergroupsync.UserGroupSync.run(UserGroupSync.java:51)
        at java.lang.Thread.run(Thread.java:745)

xa-portal.txt

xa-portal.txt
Preview file
14 KB
6,027 Views
0 Kudos
0
1 ACCEPTED SOLUTION

avatar
author-rank joshua_adeleke
Expert Contributor

Created ‎10-12-2017 06:59 AM

With HDP 2.6.0, i was able to configure ranger with AD. Only needed to create the amb_ranger_admin user that was missing in Ranger UI.

View solution in original post

5,610 Views
0 Kudos
0
9 REPLIES 9

avatar
author-rank Shelton
Master Mentor

Created ‎08-25-2017 08:39 AM

@Joshua Adeleke

You have a configuration issue, your search filter is not correct hence throwing

[LDAP: error code 4 - Sizelimit Exceeded]; remaining name 'dc=domain,dc=config,dc=com']

Can you align your setup with this official document attached?

Can you past here your AD configurations and maybe the steps you went through.

5,610 Views
0 Kudos

avatar
author-rank joshua_adeleke
Expert Contributor

Created ‎08-31-2017 07:23 AM

@Geoffrey Shelton Okot Thank you. I have aligned my setup with the attached document but i still get the errors below from usersync.log and xa_portal.log. I'm thinking the change i made to the usersync user could be an issue but i made sure the rangerusersync user in ranger admin has the same password as the one i configured using the updatepasswordpolicy.py script. Not sure what else is the issue. Running a curl command on "GET http://domain.config.com:6080/service/xusers/groups/?pageSize=1000&startIndex=0" and it worked. Also tested my AD Bind user elsewhere and it works fine.

31 Aug 2017 07:22:17 ERROR UserGroupSync [UnixUserSyncThread] - Failed to initialize UserGroup source/sink. Will retry after 3600000 milliseconds. Error details:
com.sun.jersey.api.client.UniformInterfaceException: GET http://domain.config.com:6080/service/xusers/groups/?pageSize=1000&startIndex=0 returned a response status of 401 Unauthorized
        at com.sun.jersey.api.client.WebResource.handle(WebResource.java:686)
        at com.sun.jersey.api.client.WebResource.access$200(WebResource.java:74)
        at com.sun.jersey.api.client.WebResource$Builder.get(WebResource.java:507)
        at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.buildGroupList(PolicyMgrUserGroupBuilder.java:358)
        at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.buildUserGroupInfo(PolicyMgrUserGroupBuilder.java:156)
        at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.init(PolicyMgrUserGroupBuilder.java:152)
        at org.apache.ranger.usergroupsync.UserGroupSync.run(UserGroupSync.java:51)
        at java.lang.Thread.run(Thread.java:745)
==========================================================================================
2017-08-31 09:18:15,219 [http-bio-6080-exec-5] DEBUG org.apache.ranger.security.handler.RangerAuthenticationProvider (RangerAuthenticationProvider.java:412) - AD Authentication Failed:
org.springframework.security.authentication.BadCredentialsException: Bad credentials
        at org.springframework.security.ldap.authentication.LdapAuthenticationProvider.doAuthentication(LdapAuthenticationProvider.java:185)
        at org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider.authenticate(AbstractLdapAuthenticationProvider.java:61)
        at org.apache.ranger.security.handler.RangerAuthenticationProvider.getADBindAuthentication(RangerAuthenticationProvider.java:405)

....

Caused by: org.springframework.security.ldap.authentication.ad.ActiveDirectoryAuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580^@]
        at org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider.raiseExceptionForErrorCode(ActiveDirectoryLdapAuthenticationProvider.java:220)
        ... 37 more
Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580^@]
        at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3135)
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3081)
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2883)
        at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2797)
        at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)
        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
        at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)
        at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)
        at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
        at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)
        at javax.naming.InitialContext.init(InitialContext.java:244)
        at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
        at org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider$ContextFactory.createContext(ActiveDirectoryLdapAuthenticationProvider.java:345)
        at org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider.bindAsUser(ActiveDirectoryLdapAuthenticationProvider.java:179)
        ... 35 more
5,610 Views
0 Kudos

avatar
author-rank joshua_adeleke
Expert Contributor

Created ‎08-31-2017 07:37 AM 

ranger.ldap.ad.domain=DC=domain,DC=config,DC=com
ranger.ldap.ad.url=ldap://domain.config.com:389
ranger.ldap.ad.base.dn=DC=domain,DC=config,DC=com
ranger.ldap.ad.bind.dn=DOMAIN\binduser
ranger.ldap.ad.bind.password=XXXX
ranger.ldap.ad.referral=follow
ranger.ldap.group.searchbase=DC=domain,DC=config,DC=com
ranger.ldap.group.searchfilter=(member=cn={0},ou=Users,DC=domain,DC=config,DC=com)
5,610 Views
0 Kudos

avatar
author-rank Shelton
Master Mentor

Created ‎08-31-2017 09:40 AM

@Joshua Adeleke

This is what it means " The 401 Unauthorized error is an HTTP status code that means the page you were trying to access cannot be loaded until you first log in with a valid user ID"

How to Fix the 401 Unauthorized Error

  1. Check for errors in the URL. It's possible that the 401 Unauthorized error appeared because the URL was typed incorrectly or the link that was clicked on points to the wrong URL - one that is for authorized users only.
  2. If you're sure the URL is valid, visit the website's main page and look for a link that says Login or Secure Access. Enter your credentials here and then try the page again. If you don't have credentials, follow the instructions provided on the website for setting up an account.
  3. If you're sure the page you're trying to reach shouldn't need authorization, the 401 Unauthorized error message may be a mistake. At that point, it's probably best to contact the webmaster or other website contact and inform them of the problem.

    Tip: The webmaster of some websites can be reached via email at webmaster@website.com, replacing website.com with the actual website name.
  1. The 401 Unauthorized error can also appear immediately after login, which is an indication that the website received your username and password but found something about them to be invalid (e.g. your password is incorrect). Follow whatever process is in place at the website to regain access to their system.
5,610 Views
0 Kudos

avatar
author-rank joshua_adeleke
Expert Contributor

Created ‎08-31-2017 07:46 PM

@Geoffrey Shelton Okot

I'm sure the URL error is not an authorization issue or syntax error. Will look more at the group and user filters as an hwx document suggest it might be some settings.

5,610 Views
0 Kudos

avatar
author-rank joshua_adeleke
Expert Contributor

Created ‎09-04-2017 10:27 AM

@spolavarapu

I'm getting error above when i configure usersync...

5,610 Views
0 Kudos

avatar
author-rank Shelton
Master Mentor

Created ‎09-04-2017 11:10 AM

@Joshua Adeleke

Are the ranger.ldap.ad.* entries you entered correct ie not the examples in the documentation?

Did you run already the ambari-server sync-ldap to see if your users are captured in the process?

Could you add this values in your parameters?

Group User Map Sync-----Yes 
Username Attribute------sAMAccountName 
User Search Base------valid entries 
User Search Filter------ ?
User Search Scope------ ?
User Group Name Attribute------ 
Enable User Search----Yes

Let me know

5,610 Views
0 Kudos

avatar
author-rank joshua_adeleke
Expert Contributor

Created ‎10-12-2017 06:59 AM

With HDP 2.6.0, i was able to configure ranger with AD. Only needed to create the amb_ranger_admin user that was missing in Ranger UI.

5,611 Views
0 Kudos
0

avatar
author-rank andyhammer0221
New Contributor

Created ‎07-12-2018 02:25 PM

After seeing your post, I found a good information that can be helpful for you. Nayeli is the person you can contact for more free samples. You can send email to her or call her instead.(nayeli@wis-connector.com/ her number as well: TW:+886-2-2790-1979 #66 US: +1 (407) 282-3220 UK: +44-2033896967) You can use some connectors to diversify your ideas. Recently Wisconn Techonolgy, an international connector company offers good quality products. You can search on their web to see whether there are what you need. https://www.wis-connector.com/ By the way, Good luck for finding what you need.

5,610 Views
0 Kudos
Announcements
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
What's New @ Cloudera
[RELEASED] Cloudera Streams Messaging - Kubernetes Operator ...
Community Announcements
February 2025 Community Highlights
What's New @ Cloudera
3 Benefits of External IDE Connectivity, Now Available in Cl...
What's New @ Cloudera
Performance comparison of Spark3 on YARN with S3 Standard VS...
View More Announcements