Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

LDAP Sync failed in HDP-3.1.0.0

avatar
author-rank sandeep_hadoopa
Explorer

Created on ‎04-14-2019 08:48 PM - edited ‎09-16-2022 07:18 AM

Hi Guys,


I am trying to sync ldap users, I am getting below error, any idea, please?

====================

Review Settings

====================

Primary LDAP Host : xxxxxxxxxxxxx001

Primary LDAP Port (636): 636

Secondary LDAP Host <Optional>: xxxxxxxxxxx002

Secondary LDAP Port <Optional> (636): 636

Use SSL [true/false] (true): true

User object class (posixUser): posixUser

User ID attribute (uid): uid

Group object class (posixGroup): posixGroup

Group name attribute (cn): cn

Group member attribute (memberUid): memberUid

Distinguished name attribute (dn): dn

Search Base (dc=xyzcompany,dc=com): dc=xyzcompany,dc=com

Referral method [follow/ignore] (follow): follow

Bind anonymously [true/false] (false): false

Handling behavior for username collisions [convert/skip] for LDAP sync (skip): skip

Force lower-case user names [true/false] (true): true

Results from LDAP are paginated when requested [true/false] (false): false

ambari.ldap.connectivity.bind_dn: uid=svcTDPlookup,ou=serviceaccounts,ou=users,dc=xyzcompany,dc=com

ambari.ldap.connectivity.bind_password: *****

ambari.ldap.advanced.disable_endpoint_identification: false

ssl.trustStore.type: jks

ssl.trustStore.path: /etc/ambari-server/keys/ldaps-keystore.jks

ssl.trustStore.password: *****

Save settings [y/n] (y)?

Saving LDAP properties...

Saving LDAP properties finished

Ambari Server 'setup-ldap' completed successfully.

[root@shldvgdka001 keys]# ambari-server restart

Using python /usr/bin/python

Restarting ambari-server




Fetching LDAP configuration from DB.

Syncing specified users and groups...ERROR: Exiting with exit code 1.

REASON: Caught exception running LDAP sync. XXXXXXXXX02:636; nested exception is javax.naming.CommunicationException: XXXXXXXXXXX002:636 [Root exception is java.net.SocketException: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext)]



1,588 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank Shelton
Master Mentor

Created ‎04-15-2019 04:47 AM

@Sandeep R

It seems to be an SSL issue can you validate your LDAP, the port 636 is LDAPS and 389 is for LDAP.

To enable LDAPS, you must install a certificate that meets the following requirements:

  • The LDAPS certificate is located in the Local Computer's Personal certificate store (programmatically known as the computer's MY certificate store).
  • A private key that matches the certificate is present in the Local Computer's store and is correctly associated with the certificate. The private key must not have strong private key protection enabled.
  • The Enhanced Key Usage extension includes the Server Authentication (1.3.6.1.5.5.7.3.1) object identifier (also known as OID).
  • The Active Directory fully qualified domain name of the domain controller (for example, DC01.DOMAIN.COM) must appear in one of the following places:
    • The Common Name (CN) in the Subject field.
    • DNS entry in the Subject Alternative Name extension.
  • The certificate was issued by a CA that the domain controller and the LDAPS clients trust. Trust is established by configuring the clients and the server to trust the root CA to which the issuing CA chains.
  • You must use the Schannel cryptographic service provider (CSP) to generate the key.


Hope that helps


View solution in original post

1,522 Views
0 Kudos
1 REPLY 1

avatar
author-rank Shelton
Master Mentor

Created ‎04-15-2019 04:47 AM

@Sandeep R

It seems to be an SSL issue can you validate your LDAP, the port 636 is LDAPS and 389 is for LDAP.

To enable LDAPS, you must install a certificate that meets the following requirements:

  • The LDAPS certificate is located in the Local Computer's Personal certificate store (programmatically known as the computer's MY certificate store).
  • A private key that matches the certificate is present in the Local Computer's store and is correctly associated with the certificate. The private key must not have strong private key protection enabled.
  • The Enhanced Key Usage extension includes the Server Authentication (1.3.6.1.5.5.7.3.1) object identifier (also known as OID).
  • The Active Directory fully qualified domain name of the domain controller (for example, DC01.DOMAIN.COM) must appear in one of the following places:
    • The Common Name (CN) in the Subject field.
    • DNS entry in the Subject Alternative Name extension.
  • The certificate was issued by a CA that the domain controller and the LDAPS clients trust. Trust is established by configuring the clients and the server to trust the root CA to which the issuing CA chains.
  • You must use the Schannel cryptographic service provider (CSP) to generate the key.


Hope that helps


1,523 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements