Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

External authentication issue with two LDAP servers

Labels:
ahaeni
Explorer

Created ‎05-30-2017 02:34 AM

Hello,

 

I have 2 LDAP servers for loadbalancing. I'm having an issue configuring external authentication since no matter how I provide the URLs, I always have LDAP errors.

 

This is what I've tried so far:

1. ldap://ldap1.example.com,ldap://ldap2.example.com  -> CM server thinks /ldap2.example.com is a DN

2. ldap://ldap1.example.com ldap://ldap2.example.com -> ldap://ldap1.example.com ldap://ldap2.example.com is an invalid LDAP URL. Illegal character in authority at index 7: dap://ldap1.example.com ldap://ldap2.example.com (even though in Cloudera Documentation it says "A space-separated list of URLs can be entered")

3. ldap://ldap1.example.com,ldap2.example.com

4. ldap://ldap1.example.com ldap2.example.com

 

What is the correct way? Thanks!

2,958 Views
0 Kudos
1
6 REPLIES 6

mbigelow
Champion

Created ‎05-30-2017 02:53 PM

To me it seems to be an issue with having more than one LDAP server listed. It it does say that more than one can be listed if it is space separated, but the error indicates otherwise.

Is that error from the CM server logs? If no, can you check there for possible more information?

Maybe a Cloudera employee will chime in on this or you can contact support to see if it is a bug.
2,843 Views
0 Kudos

ahaeni
Explorer

Created ‎05-30-2017 10:46 PM

Hi,

 

yes, it is a cloudera-scm-server log. Looks like a bug to me as well. But maybe there really is some syntax issue there.

2,838 Views
0 Kudos

Borg
Contributor

Created ‎05-31-2017 09:08 AM

Hello ahaeni, 

 

I have a couple questions regarding your post: 

 

1. What documentation are you following? 

 

2. Are you utilizing Active Directory for authentication? If so have you considered using the LDAP external authentication and point Cloudera Manager to an Active Directory Global Catalog?

 

3. Could you provide the contents of the cloudera-scm-server log that shows the error?

 

4. In this case would it be more beneficial to point to the loadbalancer and then alllow the loadbalancer to decide what server to use for authentication? 

 

Thanks 

2,822 Views
0 Kudos

mbigelow
Champion

Created ‎05-31-2017 09:19 AM

@Borg  I was refering, and I think @ahaeni was as well, to the tooltip within CM, version 5.8.2 for me.  Emphasis is mine.

 

"The URL of the LDAP server. The URL must be prefixed with ldap:// or ldaps://. The URL can optionally specify a custom port, for example: ldaps://ldap_server.example.com:1636. Note that usernames and passwords will be transmitted in the clear unless either an ldaps:// URL is used, or "Enable LDAP TLS" is turned on (where available). Also note that encryption must be in use between the client and this service for the same reason.

For more detail on the LDAP URL format, see RFC 2255 . A space-separated list of URLs can be entered; in this case the URLs will each be tried in turn until one replies."

 

The docs themselves do not make mention of this and only give an example of using a single LDAP server.

 

https://www.cloudera.com/documentation/enterprise/latest/topics/cm_sg_external_auth.html#cmug_topic_...

 

If it was AD, pointing to one would be sufficient.  I assumed with was OpenLDAP or something like it.

 

@ahaeni Looks like it may just be bad info in the tooltip and not a bug or syntax issue.  In that case, a LB in front of them would be the solution, as @Borg mentioned, to allow both to be used.

2,819 Views

ahaeni
Explorer

Created ‎06-01-2017 03:04 AM

1. https://www.cloudera.com/documentation/enterprise/latest/topics/cm_sg_external_auth.html#cmug_topic_...

2. LDAP, not AD

3. The cloudera log (or a part of it) is in my original post

4. I'm clarifying about the loadbalancer now, but the tooltip of Cloudera Manager is really misleading, as mbigelow mentioned already. Maybe something to fix for Cloudera in the future.
2,808 Views
0 Kudos

Borg
Contributor

Created ‎06-06-2017 02:55 PM

Thanks for the clarification and the provided information. I would suggest to us the loadbalancer as stated in the previous post. As for the tool tip, thanks for pointing that out; I will relay this to our internal teams to review. 

 

Cheers 

 

 

2,796 Views
Take a Tour of the Community
Don't have an account?
Register
Your experience may be limited. Sign in to explore more.
Announcements
Community Announcements
March 2023 Community Highlights
What's New @ Cloudera
Cloudera DataFlow Designer for self-service data flow development is now generally available to all CDP Public Cloud customers
What's New @ Cloudera
Cloudera Operational Database (COD) UI provides the JWT configuration details to connect to your HBase client
What's New @ Cloudera
Cloudera Operational Database (COD) UI allows storage type selection when creating an operational database
What's New @ Cloudera
Release of Cloudera Streaming Analytics (CSA) 1.9.0 for CDP 7.1.7 SP2 & CDP 7.1.8
View More Announcements