Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Error while configuring AD usersync on HDP 2.4.3

Solved Go to solution

Error while configuring AD usersync on HDP 2.4.3

Expert Contributor

I keep encountering errors with usersync config on HDP 2.4.3. I am trying to sync users with AD and be able to log into Ranger Admin with the AD details.

25 Aug 2017 09:41:59 ERROR UserGroupSync [UnixUserSyncThread] - Failed to initialize UserGroup source/sink. Will retry after 3600000 milliseconds. Error details:
com.sun.jersey.api.client.UniformInterfaceException: GET http://domain:6080/service/xusers/groups/?pageSize=1000&startIndex=0 returned a response status of 401 Unauthorized
        at com.sun.jersey.api.client.WebResource.handle(WebResource.java:686)
        at com.sun.jersey.api.client.WebResource.access$200(WebResource.java:74)
        at com.sun.jersey.api.client.WebResource$Builder.get(WebResource.java:507)
        at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.buildGroupList(PolicyMgrUserGroupBuilder.java:358)
        at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.buildUserGroupInfo(PolicyMgrUserGroupBuilder.java:156)
        at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.init(PolicyMgrUserGroupBuilder.java:152)
        at org.apache.ranger.usergroupsync.UserGroupSync.run(UserGroupSync.java:51)
        at java.lang.Thread.run(Thread.java:745)

xa-portal.txt

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Error while configuring AD usersync on HDP 2.4.3

Expert Contributor

With HDP 2.6.0, i was able to configure ranger with AD. Only needed to create the amb_ranger_admin user that was missing in Ranger UI.

9 REPLIES 9

Re: Error while configuring AD usersync on HDP 2.4.3

Mentor

@Joshua Adeleke

You have a configuration issue, your search filter is not correct hence throwing

[LDAP: error code 4 - Sizelimit Exceeded]; remaining name 'dc=domain,dc=config,dc=com']

Can you align your setup with this official document attached?

Can you past here your AD configurations and maybe the steps you went through.

Re: Error while configuring AD usersync on HDP 2.4.3

Expert Contributor

@Geoffrey Shelton Okot Thank you. I have aligned my setup with the attached document but i still get the errors below from usersync.log and xa_portal.log. I'm thinking the change i made to the usersync user could be an issue but i made sure the rangerusersync user in ranger admin has the same password as the one i configured using the updatepasswordpolicy.py script. Not sure what else is the issue. Running a curl command on "GET http://domain.config.com:6080/service/xusers/groups/?pageSize=1000&startIndex=0" and it worked. Also tested my AD Bind user elsewhere and it works fine.

31 Aug 2017 07:22:17 ERROR UserGroupSync [UnixUserSyncThread] - Failed to initialize UserGroup source/sink. Will retry after 3600000 milliseconds. Error details:
com.sun.jersey.api.client.UniformInterfaceException: GET http://domain.config.com:6080/service/xusers/groups/?pageSize=1000&startIndex=0 returned a response status of 401 Unauthorized
        at com.sun.jersey.api.client.WebResource.handle(WebResource.java:686)
        at com.sun.jersey.api.client.WebResource.access$200(WebResource.java:74)
        at com.sun.jersey.api.client.WebResource$Builder.get(WebResource.java:507)
        at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.buildGroupList(PolicyMgrUserGroupBuilder.java:358)
        at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.buildUserGroupInfo(PolicyMgrUserGroupBuilder.java:156)
        at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.init(PolicyMgrUserGroupBuilder.java:152)
        at org.apache.ranger.usergroupsync.UserGroupSync.run(UserGroupSync.java:51)
        at java.lang.Thread.run(Thread.java:745)
==========================================================================================
2017-08-31 09:18:15,219 [http-bio-6080-exec-5] DEBUG org.apache.ranger.security.handler.RangerAuthenticationProvider (RangerAuthenticationProvider.java:412) - AD Authentication Failed:
org.springframework.security.authentication.BadCredentialsException: Bad credentials
        at org.springframework.security.ldap.authentication.LdapAuthenticationProvider.doAuthentication(LdapAuthenticationProvider.java:185)
        at org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider.authenticate(AbstractLdapAuthenticationProvider.java:61)
        at org.apache.ranger.security.handler.RangerAuthenticationProvider.getADBindAuthentication(RangerAuthenticationProvider.java:405)

....

Caused by: org.springframework.security.ldap.authentication.ad.ActiveDirectoryAuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580^@]
        at org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider.raiseExceptionForErrorCode(ActiveDirectoryLdapAuthenticationProvider.java:220)
        ... 37 more
Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580^@]
        at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3135)
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3081)
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2883)
        at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2797)
        at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)
        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
        at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)
        at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)
        at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
        at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)
        at javax.naming.InitialContext.init(InitialContext.java:244)
        at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
        at org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider$ContextFactory.createContext(ActiveDirectoryLdapAuthenticationProvider.java:345)
        at org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider.bindAsUser(ActiveDirectoryLdapAuthenticationProvider.java:179)
        ... 35 more

Re: Error while configuring AD usersync on HDP 2.4.3

Expert Contributor
ranger.ldap.ad.domain=DC=domain,DC=config,DC=com
ranger.ldap.ad.url=ldap://domain.config.com:389
ranger.ldap.ad.base.dn=DC=domain,DC=config,DC=com
ranger.ldap.ad.bind.dn=DOMAIN\binduser
ranger.ldap.ad.bind.password=XXXX
ranger.ldap.ad.referral=follow
ranger.ldap.group.searchbase=DC=domain,DC=config,DC=com
ranger.ldap.group.searchfilter=(member=cn={0},ou=Users,DC=domain,DC=config,DC=com)

Re: Error while configuring AD usersync on HDP 2.4.3

Mentor

@Joshua Adeleke

This is what it means " The 401 Unauthorized error is an HTTP status code that means the page you were trying to access cannot be loaded until you first log in with a valid user ID"

How to Fix the 401 Unauthorized Error

  1. Check for errors in the URL. It's possible that the 401 Unauthorized error appeared because the URL was typed incorrectly or the link that was clicked on points to the wrong URL - one that is for authorized users only.
  2. If you're sure the URL is valid, visit the website's main page and look for a link that says Login or Secure Access. Enter your credentials here and then try the page again. If you don't have credentials, follow the instructions provided on the website for setting up an account.
  3. If you're sure the page you're trying to reach shouldn't need authorization, the 401 Unauthorized error message may be a mistake. At that point, it's probably best to contact the webmaster or other website contact and inform them of the problem.

    Tip: The webmaster of some websites can be reached via email at webmaster@website.com, replacing website.com with the actual website name.
  1. The 401 Unauthorized error can also appear immediately after login, which is an indication that the website received your username and password but found something about them to be invalid (e.g. your password is incorrect). Follow whatever process is in place at the website to regain access to their system.

Re: Error while configuring AD usersync on HDP 2.4.3

Expert Contributor
@Geoffrey Shelton Okot

I'm sure the URL error is not an authorization issue or syntax error. Will look more at the group and user filters as an hwx document suggest it might be some settings.

Re: Error while configuring AD usersync on HDP 2.4.3

Expert Contributor
@spolavarapu

I'm getting error above when i configure usersync...

Re: Error while configuring AD usersync on HDP 2.4.3

Mentor

@Joshua Adeleke

Are the ranger.ldap.ad.* entries you entered correct ie not the examples in the documentation?

Did you run already the ambari-server sync-ldap to see if your users are captured in the process?

Could you add this values in your parameters?

Group User Map Sync-----Yes 
Username Attribute------sAMAccountName 
User Search Base------valid entries 
User Search Filter------ ?
User Search Scope------ ?
User Group Name Attribute------ 
Enable User Search----Yes

Let me know

Re: Error while configuring AD usersync on HDP 2.4.3

Expert Contributor

With HDP 2.6.0, i was able to configure ranger with AD. Only needed to create the amb_ranger_admin user that was missing in Ranger UI.

Re: Error while configuring AD usersync on HDP 2.4.3

New Contributor

After seeing your post, I found a good information that can be helpful for you. Nayeli is the person you can contact for more free samples. You can send email to her or call her instead.(nayeli@wis-connector.com/ her number as well: TW:+886-2-2790-1979 #66 US: +1 (407) 282-3220 UK: +44-2033896967) You can use some connectors to diversify your ideas. Recently Wisconn Techonolgy, an international connector company offers good quality products. You can search on their web to see whether there are what you need. https://www.wis-connector.com/ By the way, Good luck for finding what you need.

Don't have an account?
Coming from Hortonworks? Activate your account here