Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

HUE LDAP Integration -Login failure for some users

avatar
Rising Star

I have integrated my hue.ini configuration file for both Direct and search bind. It was able to identify the users in search bind but giving an error "user DN/password rejected by LDAP server." only for some users are able to login into it. Any idea about root cause of this error?

The same is the problem with ranger and ambari . Is it because other users don't have special privileges which these users have? Logs attached.

[20/May/2016 20:38:48 +0000] backend      DEBUG    Django user vinay.potnuru does not have a profile to populate
[20/May/2016 20:38:48 +0000] backend      DEBUG    Populating Django user vinay.potnuru
[20/May/2016 20:38:48 +0000] config       DEBUG    search_s('OU=Developers,DC=company,DC=com', 2, '(&(sAMAccountName=%(user)s)(objectclass=*))') returned 1 objects: cn=vinay potnuru,ou=users,ou=Developers,dc=company,dc=com
[20/May/2016 20:38:48 +0000] access       DEBUG    172.16.0.155 -anon- - "POST /accounts/login/ HTTP/1.1"
[20/May/2016 20:38:44 +0000] access       WARNING  172.16.0.155 -anon- - "POST /accounts/login/ HTTP/1.1" -- Failed login for user "koushik.veldanda"
[20/May/2016 20:38:44 +0000] backend      DEBUG    Authentication failed for koushik.veldanda: user DN/password rejected by LDAP server.
[20/May/2016 20:38:44 +0000] config       DEBUG    search_s('OU=Developers,DC=company,DC=com', 2, '(&(sAMAccountName=%(user)s)(objectclass=*))') returned 1 objects: cn=koushik veldanda,ou=users,ou=Developers,dc=company,dc=com
1 ACCEPTED SOLUTION

avatar
Rising Star

Organisations restrict user access to specific servers and computers using a logon option. If an user is given logon to all computers option. Then only he/she is able to login into ambari/hue/ranger UI using their active directory credentials. I feel that is against an organisational policies. Is there an other way around to achieve this functionality like giving access to url the way we are giving access to systems ?

View solution in original post

3 REPLIES 3

avatar
Super Guru

Hi @vinay kumar

From log this seems to be issue from ldap server side. Can you check if the same users are able to login on any ldap client node ? Issue also might be related to network connectivity with ldap server.

avatar
Rising Star

Hi @Sagar Shimpi

Yes there were able to login into SSSD integrated nodes. But not able to login into ranger, Ambari and HUE. If I am not wrong and If you could see the logs, it actually returned object for koushik.veldanda using search bind. But it wasn't able to authenticate. Password is definitely not wrong, so the only issue could be with DN or Bind. What are things that could cause this? Does this have anything to do with encryption ?

But why only few users were able to login?? and guess what these are the users who are working on this project ? But we didn't specified any such restriction.

What do you mean by network connectivity with ldap server?

avatar
Rising Star

Organisations restrict user access to specific servers and computers using a logon option. If an user is given logon to all computers option. Then only he/she is able to login into ambari/hue/ranger UI using their active directory credentials. I feel that is against an organisational policies. Is there an other way around to achieve this functionality like giving access to url the way we are giving access to systems ?