Support Questions

Find answers, ask questions, and share your expertise

LDAP: error code 49 when setting LDAP auth for HiveServer2

avatar
Super Collaborator

Hello Gurus :) HDP 2.3.2 Ambari 2.1.2.1

I'm trying to setup HiveServer2 with LDAP authentication. It seems pretty straightforward: I performed the following: Changed HiveServer2 Authentication to LDAP

1954-1.png Then i setup my LDAP server url (as the Ambari requested): 1955-2.png Restarted the Hive but hiveserver2.log shows the following during it's startup: ERROR [HiveServer2-Handler-Pool: Thread-56]: transport.TSaslTransport (TSaslTransport.java:open(315)) - SASL negotiation failure javax.security.sasl.SaslException: Error validating the login [Caused by javax.security.sasl.AuthenticationException: Error validating LDAP user [Caused by javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1]]]

According to the error LDAP 49 - 52e the problem is with the credentials that were passed to the LDAP server. I don't find any field \ parameter in which i set the LDAP user & password for authentication... Needless to say that the authentication acts as if it is set to NONE (which is a major problem....)

Any ideas ? Thanks in advance Adi J.

2 ACCEPTED SOLUTIONS

avatar

@Adi Jabkowsky

Is this happening when HS2 is started ONLY or when you connect via Beeline or both?

Try the following:

  1. Your hive.server2.authentication.ldap.baseDN has a blank space. Remove the blank space and restart HS2 from Hosts in Ambari
    #From
    <property>
    <name>hive.server2.authentication.ldap.baseDN</name>
    <value> </value>
    </property>
    
    #To
    <property>
    <name>hive.server2.authentication.ldap.baseDN</name>
    <value></value>
    </property>
  2. Remove hive.server2.authentication.ldap.Domain or set to Blank. Then log into HS2 using beeline and set your user to myuser@corp.cellcom.co.il as your login and see if it authenticates
  3. Set hive.server2.enable.doAs to False so that Hive user executes the query,
  4. If you are using a Hive AD user, Double check that the hive AD UID is the same in /etc/passwd file. Make an archive of HS2 Logs, change /etc/passwd to have the same UUID as the AD hive user, and restart HS2.

View solution in original post

avatar
Explorer

Hi  @Adija1 .

 

Have you hever managed to find out where to indicate username and password for hiveserver2 to be able to auth against Ad LDAP ?

 

I currently have this error:

 

[LDAP: error code 49 - 80090308: LdapErr: DSID-0C090446, comment: AcceptSecurityContext error, data 52e, v2580]
 
But I have nowhere in Hive config (Ambari 3.1) to say what user and password to use, and even though this question has been asked at least twice on this post, no one answered...

View solution in original post

41 REPLIES 41

avatar
Explorer

But my question is :- Why Realm is required while Connect via Beeline

avatar
New Contributor

@Neeraj Sabharwal

Hi Neeraj,

I am also able to login using LDAP credentials . However i have one question , please help in clearing my doubts, :-

1. If wee enable LDAP authentication for hive server2, and it is able to authenticate , then do we need knox gateway for connecting beeline or JDBC tools like SQuirrel.

2. Can Knox need LDAP authentication on at hive-server2 to work as in my case if i switch off LDAP authentication , and enabling knox , i can still login with no or worng credentials using beeline.