Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

LDAP with secured SSL for Kerberos HDP 3.1

Highlighted

LDAP with secured SSL for Kerberos HDP 3.1

Explorer

Hi All,

I have a problem related to Enabling LDAP with SSL.
Here is the situation,
I have received a self-signed SSL certificate from Window Active Directory Team.
We have 2 Window AD server primary and secondary gspdidn01.gsp.local and gspdidn02.gsp.local and certificate is valid.
Now I am following HDP 3.1 official documentation for enabling, installed the certificate using steps mentioned in the below link.
(https://docs.hortonworks.com/HDPDocuments/HDP3/HDP-3.1.0/ambari-authentication-ldap-ad/content/authe...)

====================
Review Settings
====================
Primary LDAP Host (10.32.83.35): gspidn01.gsp.local
Primary LDAP Port (636): 636
Secondary LDAP Host <Optional> (10.32.83.36): gspidn02.gsp.local
Secondary LDAP Port <Optional> (636): 636
Use SSL [true/false] (true): true
User object class (user): user
User ID attribute (sAMAccountName): sAMAccountName
Group object class (group): group
Group name attribute (cn): cn
Group member attribute (member): member
Distinguished name attribute (distinguishedName): distinguishedName
Search Base (dc=gsp,dc=local): dc=gsp,dc=local
Referral method [follow/ignore] (follow): follow
Bind anonymously [true/false] (false): false
Handling behavior for username collisions [convert/skip] for LDAP sync (skip): skip
Force lower-case user names [true/false] (false): false
Results from LDAP are paginated when requested [true/false] (false): false
ambari.ldap.connectivity.bind_dn: CN=HDP_Service,OU=Service Accounts,dc=gsp,dc=local
ambari.ldap.connectivity.bind_password: *****
ambari.ldap.advanced.disable_endpoint_identification: true
ssl.trustStore.type: jks
ssl.trustStore.path: /etc/security/ldaps-truststore.jks
ssl.trustStore.password: *****
Save settings [y/n] (y)? y

-> ambari-server restart

Whenever I do curl ldap://gspidn01.gsp.local:389
Gives the expected results but when I do
isSynchronized: TRUE

isGlobalCatalogReady: TRUE

domainFunctionality: 6

forestFunctionality: 6

domainControllerFunctionality: 6

[root@gspdhd01 admin]# curl ldaps://gspidn01.gsp.local:636
##Just black nothing will be displayed.

This has blocked me totally by enabling Kerberos as that needs an LDAP with secured SSL.

Please, can somebody let me know where the things are wrong or any suggestion?

4 REPLIES 4
Highlighted

Re: LDAP with secured SSL for Kerberos HDP 3.1

Explorer

You need to test the SSL connectivity.

openssl s_client -connect gspidn01.gsp.local:636

 Check the TLS communication with the certs

openssl s_client -connect gspidn01.gsp.local:636 -CAfile /etc/security/serverKeys/ldap.crt

 Run a ldapsearch to the LDAP server 

ldapsearch -h  gspidn02.gsp.local -p 636 -x -D "uid=HDP_Service,ou=ServiceAccounts,dc=gsp,dc=local" -b "dc=gsp,dc=local" -W
Highlighted

Re: LDAP with secured SSL for Kerberos HDP 3.1

Explorer

Hi @kwabstian53 ,

 

Thank you for the quick response.

here are the result for below tests,


[root@gspdhd01 admin]# openssl s_client -connect gspidn01.gsp.local:636
CONNECTED(00000003)
depth=1 DC = local, DC = gsp, CN = gsp-GSPIDN01-CA
verify return:1
depth=0 CN = gspidn01.gsp.local
verify return:1
---
Certificate chain
0 s:/CN=gspidn01.gsp.local
i:/DC=local/DC=gsp/CN=gsp-GSPIDN01-CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIF4TCCBMmgAwIBAgITGAAAAAObh58/1Hp3NQAAAAAAAzANBgkqhkiG9w0BAQUF
ADBGMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxEzARBgoJkiaJk/IsZAEZFgNnc3Ax
GDAWBgNVBAMTD2dzcC1HU1BJRE4wMS1DQTAeFw0xOTA1MTYxMzI2NDdaFw0yMDA1
MTUxMzI2NDdaMB0xGzAZBgNVBAMTEmdzcGlkbjAxLmdzcC5sb2NhbDCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAL0NAv82q4G18yxxAqkIBcN6HF6xfn8o
hPyAy0NEg6oN9DYPMZeAbI+M+4PgSFCkahhHq+Cc1hk920wuSkayCbLhGIrbQxk5
t66nYAccquRoUrcZEilIh3dlSFn7jUV5uNd6J4BJWeds7ZTbUWcPUv6LyaqHCYAH
zifCQJc72VEZcyrfYHVKCRHFNP/wbc0dmIhsBPlrE8MfCpZmRCGk6dWMnTeQJxjG
WEK03GuUohSPAyvRUszvws5ss8nclK0aNc3so3d4ChdHu3ES8LcI/EKX4Q+HZvFm
gsIbP+1n82aY7w1ytI3Rr/q2FEfPszWsRFHN0prpUXk6UYDcCWexBXUCAwEAAaOC
Au8wggLrMC8GCSsGAQQBgjcUAgQiHiAARABvAG0AYQBpAG4AQwBvAG4AdAByAG8A
bABsAGUAcjAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDgYDVR0PAQH/
BAQDAgWgMHgGCSqGSIb3DQEJDwRrMGkwDgYIKoZIhvcNAwICAgCAMA4GCCqGSIb3
DQMEAgIAgDALBglghkgBZQMEASowCwYJYIZIAWUDBAEtMAsGCWCGSAFlAwQBAjAL
BglghkgBZQMEAQUwBwYFKw4DAgcwCgYIKoZIhvcNAwcwHQYDVR0OBBYEFJBJUps0
1o3qXXNBLI5eB6IZkv/MMB8GA1UdIwQYMBaAFIF0wvRzUzMxfPE1XswM76Z9nrWK
MIHMBgNVHR8EgcQwgcEwgb6ggbuggbiGgbVsZGFwOi8vL0NOPWdzcC1HU1BJRE4w
MS1DQSxDTj1nc3BpZG4wMSxDTj1DRFAsQ049UHVibGljJTIwS2V5JTIwU2Vydmlj
ZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1nc3AsREM9bG9jYWw/
Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERp
c3RyaWJ1dGlvblBvaW50MIG/BggrBgEFBQcBAQSBsjCBrzCBrAYIKwYBBQUHMAKG
gZ9sZGFwOi8vL0NOPWdzcC1HU1BJRE4wMS1DQSxDTj1BSUEsQ049UHVibGljJTIw
S2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1n
c3AsREM9bG9jYWw/Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRp
ZmljYXRpb25BdXRob3JpdHkwPgYDVR0RBDcwNaAfBgkrBgEEAYI3GQGgEgQQSctt
2ckXq0y5qQCiaAaA34ISZ3NwaWRuMDEuZ3NwLmxvY2FsMA0GCSqGSIb3DQEBBQUA
A4IBAQAAW36YLTpHiiRjSWmu6H0/SjCbeLmdKJN5s1XnbXt4kjbbCUYvTMbb/oJ/
h5uf7kIsRdl0zfncGD/JsepLeVLh3GKz1ZDhOWkHQW4VbX0KUW84yqv+irxuKosd
KDuhvGpaR2D9KmlYTdfzDF53rzvyBm6hZUQW+au9E/5MQ3Ej8XnjgaEK5GL3UKNE
S3uUhqtdK91PcirvpTRVdgGsJb3DkzvxC628d3VQKLKkio4YkXi9rE3/rongu85C
ow5WZ4SaPFh63l93Kd+Raa7CNmn1IWA0HXCAmX5kjNrQW9LDtYjTnvcXXfrnwaXd
HNApJDvKPHlbqc6UGBU7JoUj6ri8
-----END CERTIFICATE-----
subject=/CN=gspidn01.gsp.local
issuer=/DC=local/DC=gsp/CN=gsp-GSPIDN01-CA
---
No client certificate CA names sent
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: RSA+SHA256:RSA+SHA384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1:DSA+SHA1
Shared Requested Signature Algorithms: RSA+SHA256:RSA+SHA384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1:DSA+SHA1
---
SSL handshake has read 1726 bytes and written 659 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : AES128-SHA256
Session-ID: 4220000056B7D77DBE11C53E29A71B0E71E06A867EF394A5564B9AE70D546C48
Session-ID-ctx:
Master-Key: C2E4A6977EF6CF2B62C396EBF9C49E0DA95035CAA5A08BEC0C23A406F95DBA0C4B16EECC89F5CAEE504A00C597D7ED25
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1567053717
Timeout : 300 (sec)
Verify return code: 0 (ok)


[root@gspdhd01 admin]# openssl s_client -connect gspidn01.gsp.local:636 -CAfile /home/admin/ad-ca.crt
CONNECTED(00000003)
depth=1 DC = local, DC = gsp, CN = gsp-GSPIDN01-CA
verify return:1
depth=0 CN = gspidn01.gsp.local
verify return:1
---
Certificate chain
0 s:/CN=gspidn01.gsp.local
i:/DC=local/DC=gsp/CN=gsp-GSPIDN01-CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIF4TCCBMmgAwIBAgITGAAAAAObh58/1Hp3NQAAAAAAAzANBgkqhkiG9w0BAQUF
ADBGMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxEzARBgoJkiaJk/IsZAEZFgNnc3Ax
GDAWBgNVBAMTD2dzcC1HU1BJRE4wMS1DQTAeFw0xOTA1MTYxMzI2NDdaFw0yMDA1
MTUxMzI2NDdaMB0xGzAZBgNVBAMTEmdzcGlkbjAxLmdzcC5sb2NhbDCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAL0NAv82q4G18yxxAqkIBcN6HF6xfn8o
hPyAy0NEg6oN9DYPMZeAbI+M+4PgSFCkahhHq+Cc1hk920wuSkayCbLhGIrbQxk5
t66nYAccquRoUrcZEilIh3dlSFn7jUV5uNd6J4BJWeds7ZTbUWcPUv6LyaqHCYAH
zifCQJc72VEZcyrfYHVKCRHFNP/wbc0dmIhsBPlrE8MfCpZmRCGk6dWMnTeQJxjG
WEK03GuUohSPAyvRUszvws5ss8nclK0aNc3so3d4ChdHu3ES8LcI/EKX4Q+HZvFm
gsIbP+1n82aY7w1ytI3Rr/q2FEfPszWsRFHN0prpUXk6UYDcCWexBXUCAwEAAaOC
Au8wggLrMC8GCSsGAQQBgjcUAgQiHiAARABvAG0AYQBpAG4AQwBvAG4AdAByAG8A
bABsAGUAcjAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDgYDVR0PAQH/
BAQDAgWgMHgGCSqGSIb3DQEJDwRrMGkwDgYIKoZIhvcNAwICAgCAMA4GCCqGSIb3
DQMEAgIAgDALBglghkgBZQMEASowCwYJYIZIAWUDBAEtMAsGCWCGSAFlAwQBAjAL
BglghkgBZQMEAQUwBwYFKw4DAgcwCgYIKoZIhvcNAwcwHQYDVR0OBBYEFJBJUps0
1o3qXXNBLI5eB6IZkv/MMB8GA1UdIwQYMBaAFIF0wvRzUzMxfPE1XswM76Z9nrWK
MIHMBgNVHR8EgcQwgcEwgb6ggbuggbiGgbVsZGFwOi8vL0NOPWdzcC1HU1BJRE4w
MS1DQSxDTj1nc3BpZG4wMSxDTj1DRFAsQ049UHVibGljJTIwS2V5JTIwU2Vydmlj
ZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1nc3AsREM9bG9jYWw/
Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERp
c3RyaWJ1dGlvblBvaW50MIG/BggrBgEFBQcBAQSBsjCBrzCBrAYIKwYBBQUHMAKG
gZ9sZGFwOi8vL0NOPWdzcC1HU1BJRE4wMS1DQSxDTj1BSUEsQ049UHVibGljJTIw
S2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1n
c3AsREM9bG9jYWw/Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRp
ZmljYXRpb25BdXRob3JpdHkwPgYDVR0RBDcwNaAfBgkrBgEEAYI3GQGgEgQQSctt
2ckXq0y5qQCiaAaA34ISZ3NwaWRuMDEuZ3NwLmxvY2FsMA0GCSqGSIb3DQEBBQUA
A4IBAQAAW36YLTpHiiRjSWmu6H0/SjCbeLmdKJN5s1XnbXt4kjbbCUYvTMbb/oJ/
h5uf7kIsRdl0zfncGD/JsepLeVLh3GKz1ZDhOWkHQW4VbX0KUW84yqv+irxuKosd
KDuhvGpaR2D9KmlYTdfzDF53rzvyBm6hZUQW+au9E/5MQ3Ej8XnjgaEK5GL3UKNE
S3uUhqtdK91PcirvpTRVdgGsJb3DkzvxC628d3VQKLKkio4YkXi9rE3/rongu85C
ow5WZ4SaPFh63l93Kd+Raa7CNmn1IWA0HXCAmX5kjNrQW9LDtYjTnvcXXfrnwaXd
HNApJDvKPHlbqc6UGBU7JoUj6ri8
-----END CERTIFICATE-----
subject=/CN=gspidn01.gsp.local
issuer=/DC=local/DC=gsp/CN=gsp-GSPIDN01-CA
---
No client certificate CA names sent
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: RSA+SHA256:RSA+SHA384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1:DSA+SHA1
Shared Requested Signature Algorithms: RSA+SHA256:RSA+SHA384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1:DSA+SHA1
---
SSL handshake has read 1726 bytes and written 659 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : AES128-SHA256
Session-ID: 1D230000F115D38D94169A6DBA55FE2062091ADD61B826DCF01BBC3AA9289224
Session-ID-ctx:
Master-Key: 934F0B8AEF0695606BEF9BF0112F889E7E0499D15DED3744963307CC84BC2C4058E903136ABF1CC4274D820C4063D571
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1567053874
Timeout : 300 (sec)
Verify return code: 0 (ok)

[root@gspdhd01 admin]# ldapsearch -h gspidn02.gsp.local -p 636 -x -D "uid=HDP_Service,ou=ServiceAccounts,dc=gsp,dc=local" -b "dc=gsp,dc=local" -W
Enter LDAP Password:
ldap_result: Can't contact LDAP server (-1)
[root@gspdhd01 admin]# ldapsearch -h gspidn01.gsp.local -p 636 -x -D "uid=HDP_Service,ou=ServiceAccounts,dc=gsp,dc=local" -b "dc=gsp,dc=local" -W
Enter LDAP Password:
ldap_result: Can't contact LDAP server (-1)

 

May I know where is the problem?

 

Regards,

Manjunath P N

Highlighted

Re: LDAP with secured SSL for Kerberos HDP 3.1

Explorer

Here is the problem

ldap_result: Can't contact LDAP server (-1)

 Do a telnet from the host to the ldap server

telnet gspidn01.gsp.local 636

Check and  Edit 

/etc/openldap/ldap.conf

  Replace any lines that start with "TLS_CACERT" with the following:

TLS_CACERT /etc/ssl/certs/ca-bundle.crt

 

Highlighted

Re: LDAP with secured SSL for Kerberos HDP 3.1

Explorer

@kwabstian53  Yes, I did as you said.

 

telnet gspidn01.gsp.local 636

Able to connect,  

telnet gspidn01.gsp.local 636
Trying 10.32.83.35...
Connected to gspidn01.gsp.local.
Escape character is '^]'.

 

As you said I did change ldap.conf,

#TLS_CACERTDIR /home/admin/ad-ca.crt

TLS_CACERT /etc/ssl/certs/ca-bundle.crt
TLS_REQCERT allow

 

Did restart ambari-server.

 

Even after this also I am unable to do ldapsearch with 636 port.

 

Don't have an account?
Coming from Hortonworks? Activate your account here