Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

HiverServer2 connectivity with LDAPS

Labels:
avatar
author-rank sushil61
Expert Contributor

Created ‎02-07-2016 08:42 PM

HDP-2.3.2.0-2950, Ambari 2.1, Hive: 1.2.1.2.3

I am facing problem in connecting beeline with secured ldap. Here are my testing, setups and errors:

Secured LDAP Conenctivity Testing (working):

ping -c1 xxxx.net

telnet xxxx.net 636

Setup: 

/etc/openldap/ldap.conf : TLS_CACERTDIR /usr/jdk64/jdk1.7.0_67/jre/lib/security

Certifictae Type: CA certificate 

keytool -import -trustcacerts -alias xxxx -storepass changeit -noprompt -file 6a386909.0 -keystore /usr/jdk64/jdk1.7.0_67/jre/lib/security/cacerts  (Certificate imported)

Works Fine:

ldapsearch -x -W -D 'uid=abc@xx.com,ou=People,o=xx.com' -H ldaps://xxxx.net:636 -b o=xx.com "(uid=abc@xx.com)"

HDFS env Setup: 

export HADOOP_OPTS="-Djava_net_preferIPv4Stack=true
-Djavax.net.ssl.trustStore=/usr/jdk64/jdk1.7.0_67/jre/lib/security/cacerts 
-Djavax.net.ssl.trustStorePassword=changeit ${HADOOP_OPTS}"

Hive Advance Setup: 

hive.server2.authentication.ldap.baseDN : CN=%s,uid=%s,OU=People,O=xx.com 
hive.server2.authentication.ldap.url : ldaps://xxxx.net

beeline> !connect jdbc:hive2://<myhiveserver2-host>:10000

Connecting to jdbc:hive2://<myhiveserver2-host>:10000

Enter username for jdbc:hive2://<myhiveserver2-host>:10000: abc@xx.com (TRIED with just abc also)

Enter password for jdbc:hive2://<myhiveserver2-host>:10000: *********

Error: Could not open client transport with JDBC Uri: jdbc:hive2://<myhiveserver2-host>:10000: Peer indicated failure: Error validating the login (state=08S01,code=0) 0: jdbc:hive2://<myhiveserver2-host>:100 (closed)>

hiveserver2.log 

------------------
2016-02-07 20:06:07,764 ERROR [HiveServer2-Handler-Pool: Thread-47]: transport.TSaslTransport (TSaslTransport.java:open(315)) - SASL negotiation failure
javax.security.sasl.SaslException: Error validating the login [Caused by javax.security.sasl.AuthenticationException: Error validating LDAP user [Caused by javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]]]
        at org.apache.hive.service.auth.PlainSaslServer.evaluateResponse(PlainSaslServer.java:109)
        at org.apache.thrift.transport.TSaslTransport$SaslParticipant.evaluateChallengeOrResponse(TSaslTransport.java:539)
        at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:283)
        at org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41)
        at org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216)
        at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:268)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
        at java.lang.Thread.run(Thread.java:745)
Caused by: javax.security.sasl.AuthenticationException: Error validating LDAP user [Caused by javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]]
        at org.apache.hive.service.auth.LdapAuthenticationProviderImpl.Authenticate(LdapAuthenticationProviderImpl.java:77)
        at org.apache.hive.service.auth.PlainSaslHelper$PlainServerCallbackHandler.handle(PlainSaslHelper.java:106)
        at org.apache.hive.service.auth.PlainSaslServer.evaluateResponse(PlainSaslServer.java:102)
        ... 8 more
4,795 Views
1 ACCEPTED SOLUTION

avatar
author-rank amcbarnett
Guru

Created ‎02-08-2016 07:03 PM

@Sushil Saxena

Your base DN should be(assuming it is NOT AD)

hive.server2.authentication.ldap.baseDN: OU=People,O=xx.com

Ensure that you go to the host in Ambari (not Dashboard) and restart HiveServer2 from the host list.

View solution in original post

3,203 Views
4 REPLIES 4

avatar
author-rank nsabharwal
Master Mentor

Created ‎02-08-2016 01:58 AM

@Sushil Saxena

[LDAP: error code 49 - Invalid Credentials]]] -- See this

TSaslTransport.java:open(315)) - SASL negotiation failure javax.security.sasl.SaslException: Error validating the login [Caused by javax.security.sasl.AuthenticationException: Error validating LDAP user [Caused by javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]]]

3,203 Views
0 Kudos

avatar
author-rank sushil61
Expert Contributor

Created ‎02-08-2016 04:53 PM

It would be more helpful, if I should know on what reasons this errors comes, so that I can pin point the problem. Or please give me some steps to debug and solution.

3,203 Views
0 Kudos

avatar
author-rank amcbarnett
Guru

Created ‎02-08-2016 07:03 PM

@Sushil Saxena

Your base DN should be(assuming it is NOT AD)

hive.server2.authentication.ldap.baseDN: OU=People,O=xx.com

Ensure that you go to the host in Ambari (not Dashboard) and restart HiveServer2 from the host list.

3,204 Views

avatar
author-rank cakkinep
New Contributor

Created ‎02-10-2016 05:58 PM

Are you able to find a solution to this problem yet?

3,203 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements