Support Questions

Find answers, ask questions, and share your expertise

LDAP Sync failed in HDP-3.1.0.0

avatar

Hi Guys,


I am trying to sync ldap users, I am getting below error, any idea, please?

====================

Review Settings

====================

Primary LDAP Host : xxxxxxxxxxxxx001

Primary LDAP Port (636): 636

Secondary LDAP Host <Optional>: xxxxxxxxxxx002

Secondary LDAP Port <Optional> (636): 636

Use SSL [true/false] (true): true

User object class (posixUser): posixUser

User ID attribute (uid): uid

Group object class (posixGroup): posixGroup

Group name attribute (cn): cn

Group member attribute (memberUid): memberUid

Distinguished name attribute (dn): dn

Search Base (dc=xyzcompany,dc=com): dc=xyzcompany,dc=com

Referral method [follow/ignore] (follow): follow

Bind anonymously [true/false] (false): false

Handling behavior for username collisions [convert/skip] for LDAP sync (skip): skip

Force lower-case user names [true/false] (true): true

Results from LDAP are paginated when requested [true/false] (false): false

ambari.ldap.connectivity.bind_dn: uid=svcTDPlookup,ou=serviceaccounts,ou=users,dc=xyzcompany,dc=com

ambari.ldap.connectivity.bind_password: *****

ambari.ldap.advanced.disable_endpoint_identification: false

ssl.trustStore.type: jks

ssl.trustStore.path: /etc/ambari-server/keys/ldaps-keystore.jks

ssl.trustStore.password: *****

Save settings [y/n] (y)?

Saving LDAP properties...

Saving LDAP properties finished

Ambari Server 'setup-ldap' completed successfully.

[root@shldvgdka001 keys]# ambari-server restart

Using python /usr/bin/python

Restarting ambari-server




Fetching LDAP configuration from DB.

Syncing specified users and groups...ERROR: Exiting with exit code 1.

REASON: Caught exception running LDAP sync. XXXXXXXXX02:636; nested exception is javax.naming.CommunicationException: XXXXXXXXXXX002:636 [Root exception is java.net.SocketException: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext)]



1 ACCEPTED SOLUTION

avatar
Master Mentor

@Sandeep R

It seems to be an SSL issue can you validate your LDAP, the port 636 is LDAPS and 389 is for LDAP.

To enable LDAPS, you must install a certificate that meets the following requirements:

  • The LDAPS certificate is located in the Local Computer's Personal certificate store (programmatically known as the computer's MY certificate store).
  • A private key that matches the certificate is present in the Local Computer's store and is correctly associated with the certificate. The private key must not have strong private key protection enabled.
  • The Enhanced Key Usage extension includes the Server Authentication (1.3.6.1.5.5.7.3.1) object identifier (also known as OID).
  • The Active Directory fully qualified domain name of the domain controller (for example, DC01.DOMAIN.COM) must appear in one of the following places:
    • The Common Name (CN) in the Subject field.
    • DNS entry in the Subject Alternative Name extension.
  • The certificate was issued by a CA that the domain controller and the LDAPS clients trust. Trust is established by configuring the clients and the server to trust the root CA to which the issuing CA chains.
  • You must use the Schannel cryptographic service provider (CSP) to generate the key.


Hope that helps


View solution in original post

1 REPLY 1

avatar
Master Mentor

@Sandeep R

It seems to be an SSL issue can you validate your LDAP, the port 636 is LDAPS and 389 is for LDAP.

To enable LDAPS, you must install a certificate that meets the following requirements:

  • The LDAPS certificate is located in the Local Computer's Personal certificate store (programmatically known as the computer's MY certificate store).
  • A private key that matches the certificate is present in the Local Computer's store and is correctly associated with the certificate. The private key must not have strong private key protection enabled.
  • The Enhanced Key Usage extension includes the Server Authentication (1.3.6.1.5.5.7.3.1) object identifier (also known as OID).
  • The Active Directory fully qualified domain name of the domain controller (for example, DC01.DOMAIN.COM) must appear in one of the following places:
    • The Common Name (CN) in the Subject field.
    • DNS entry in the Subject Alternative Name extension.
  • The certificate was issued by a CA that the domain controller and the LDAPS clients trust. Trust is established by configuring the clients and the server to trust the root CA to which the issuing CA chains.
  • You must use the Schannel cryptographic service provider (CSP) to generate the key.


Hope that helps