Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

How to enable TLS in RANGER ?

Highlighted

How to enable TLS in RANGER ?

Contributor

Hello!

So, our corporate folks are forcing us from the "direct to their active directory controller" to a new ldap proxy setup that's based on openldap.

Under the older active directory setup, I connect from ranger to ldaps://domain.com:636 and all is good. It works.

But under the new setup I need to get working, it's still "ldap" (not ldaps)... and port 389 (not 636). That's simple enough, BUT the connection requires TLS.

In an unrelated apache server, the new ldap bind setup was tweaked as like this (the magic sauce is the "TLS" option at end):

AuthLDAPURL "ldap://domain.company.com:389/dc=domain,dc=com?sAMAccountName?sub?(objectClass=*)" TLS

and similarly, using the standard unix-based "ldapsearch" tool, that has the "-ZZ" option-- to force the use of TLS.


But as for RANGER, I'm kinda stuck. Can anyone tell me how the heck I can get TLS negotiation working in RANGER? The "ldaptool" provided as a nifty gadget with ranger errors out thus:

javax.naming.AuthenticationNotSupportedException: [LDAP: error code 13 - TLS confidentiality required]

This is an error I have seen again and again- until (for example in apache, or ldapsearch..) I figured out how to enable TLS.

I am clueless as to what "option" to define or enable to force TLS negotiation for RANGER.

Any insight or or ideas would be appreciated!

6 REPLIES 6

Re: How to enable TLS in RANGER ?

@Kent Brodie

In this case Ranger acts like a client right - do you mean to say Ranger is unable to talk to LDAP? what error do you see at Ranger side?

Re: How to enable TLS in RANGER ?

Contributor

Yes ranger is a "client". I haven't gotten to even trying ranger yet because I can't even get the "ldaptool" to work. See error above in terms of what ldaptool tells me. I'm runnig that on the ranger node.

Re: How to enable TLS in RANGER ?

New Contributor

Hi @Kent Brodie!

Did you find solution for this issue?

Re: How to enable TLS in RANGER ?

Contributor

No, never found a solution.

Re: How to enable TLS in RANGER ?

@Kent Brodie If your LDAP is running on SSL then first validate if it is taking the connections using openssl

openssl s_client -connect domain.company.com:389

If that works fine then you will have to configure the Truststore in Ranger and see.

Re: How to enable TLS in RANGER ?

Contributor

This is just TLS not full certificate-based SSL:

[root@garth01 ldaptool]# openssl s_client -connect myldapthing.company.com:389
CONNECTED(00000003)
140306741082000:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 289 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1534974457
Timeout : 300 (sec)
Verify return code: 0 (ok)
---