Support Questions

Find answers, ask questions, and share your expertise

How to enable TLS in RANGER ?



So, our corporate folks are forcing us from the "direct to their active directory controller" to a new ldap proxy setup that's based on openldap.

Under the older active directory setup, I connect from ranger to ldaps:// and all is good. It works.

But under the new setup I need to get working, it's still "ldap" (not ldaps)... and port 389 (not 636). That's simple enough, BUT the connection requires TLS.

In an unrelated apache server, the new ldap bind setup was tweaked as like this (the magic sauce is the "TLS" option at end):

AuthLDAPURL "ldap://,dc=com?sAMAccountName?sub?(objectClass=*)" TLS

and similarly, using the standard unix-based "ldapsearch" tool, that has the "-ZZ" option-- to force the use of TLS.

But as for RANGER, I'm kinda stuck. Can anyone tell me how the heck I can get TLS negotiation working in RANGER? The "ldaptool" provided as a nifty gadget with ranger errors out thus:

javax.naming.AuthenticationNotSupportedException: [LDAP: error code 13 - TLS confidentiality required]

This is an error I have seen again and again- until (for example in apache, or ldapsearch..) I figured out how to enable TLS.

I am clueless as to what "option" to define or enable to force TLS negotiation for RANGER.

Any insight or or ideas would be appreciated!


@Kent Brodie

In this case Ranger acts like a client right - do you mean to say Ranger is unable to talk to LDAP? what error do you see at Ranger side?


Yes ranger is a "client". I haven't gotten to even trying ranger yet because I can't even get the "ldaptool" to work. See error above in terms of what ldaptool tells me. I'm runnig that on the ranger node.

New Contributor

Hi @Kent Brodie!

Did you find solution for this issue?


No, never found a solution.

@Kent Brodie If your LDAP is running on SSL then first validate if it is taking the connections using openssl

openssl s_client -connect

If that works fine then you will have to configure the Truststore in Ranger and see.


This is just TLS not full certificate-based SSL:

[root@garth01 ldaptool]# openssl s_client -connect
140306741082000:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
no peer certificate available
No client certificate CA names sent
SSL handshake has read 0 bytes and written 289 bytes
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Protocol : TLSv1.2
Cipher : 0000
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1534974457
Timeout : 300 (sec)
Verify return code: 0 (ok)