Support Questions
Find answers, ask questions, and share your expertise
Announcements
Check out our newest addition to the community, the Cloudera Innovation Accelerator group hub.

External authentication issue with two LDAP servers

Explorer

Hello,

 

I have 2 LDAP servers for loadbalancing. I'm having an issue configuring external authentication since no matter how I provide the URLs, I always have LDAP errors.

 

This is what I've tried so far:

1. ldap://ldap1.example.com,ldap://ldap2.example.com  -> CM server thinks /ldap2.example.com is a DN

2. ldap://ldap1.example.com ldap://ldap2.example.com -> ldap://ldap1.example.com ldap://ldap2.example.com is an invalid LDAP URL. Illegal character in authority at index 7: dap://ldap1.example.com ldap://ldap2.example.com (even though in Cloudera Documentation it says "A space-separated list of URLs can be entered")

3. ldap://ldap1.example.com,ldap2.example.com

4. ldap://ldap1.example.com ldap2.example.com

 

What is the correct way? Thanks!

6 REPLIES 6

Champion
To me it seems to be an issue with having more than one LDAP server listed. It it does say that more than one can be listed if it is space separated, but the error indicates otherwise.

Is that error from the CM server logs? If no, can you check there for possible more information?

Maybe a Cloudera employee will chime in on this or you can contact support to see if it is a bug.

Explorer

Hi,

 

yes, it is a cloudera-scm-server log. Looks like a bug to me as well. But maybe there really is some syntax issue there.

Contributor

Hello ahaeni, 

 

I have a couple questions regarding your post: 

 

1. What documentation are you following? 

 

2. Are you utilizing Active Directory for authentication? If so have you considered using the LDAP external authentication and point Cloudera Manager to an Active Directory Global Catalog?

 

3. Could you provide the contents of the cloudera-scm-server log that shows the error?

 

4. In this case would it be more beneficial to point to the loadbalancer and then alllow the loadbalancer to decide what server to use for authentication? 

 

Thanks 

Champion

@Borg  I was refering, and I think @ahaeni was as well, to the tooltip within CM, version 5.8.2 for me.  Emphasis is mine.

 

"The URL of the LDAP server. The URL must be prefixed with ldap:// or ldaps://. The URL can optionally specify a custom port, for example: ldaps://ldap_server.example.com:1636. Note that usernames and passwords will be transmitted in the clear unless either an ldaps:// URL is used, or "Enable LDAP TLS" is turned on (where available). Also note that encryption must be in use between the client and this service for the same reason.

For more detail on the LDAP URL format, see RFC 2255 . A space-separated list of URLs can be entered; in this case the URLs will each be tried in turn until one replies."

 

The docs themselves do not make mention of this and only give an example of using a single LDAP server.

 

https://www.cloudera.com/documentation/enterprise/latest/topics/cm_sg_external_auth.html#cmug_topic_...

 

If it was AD, pointing to one would be sufficient.  I assumed with was OpenLDAP or something like it.

 

@ahaeni Looks like it may just be bad info in the tooltip and not a bug or syntax issue.  In that case, a LB in front of them would be the solution, as @Borg mentioned, to allow both to be used.

Explorer
1. https://www.cloudera.com/documentation/enterprise/latest/topics/cm_sg_external_auth.html#cmug_topic_...

2. LDAP, not AD

3. The cloudera log (or a part of it) is in my original post

4. I'm clarifying about the loadbalancer now, but the tooltip of Cloudera Manager is really misleading, as mbigelow mentioned already. Maybe something to fix for Cloudera in the future.

Contributor

Thanks for the clarification and the provided information. I would suggest to us the loadbalancer as stated in the previous post. As for the tool tip, thanks for pointing that out; I will relay this to our internal teams to review. 

 

Cheers