Created 04-04-2017 02:54 AM
I am using AD authentication for Ranger in HDP 2.5.0. The UserSync works fine and I am able to see the AD Users and Groups in Ranger.
However, I am not able to login as an AD User. The UI says "The username or password you entered is incorrect". The log says:
2017-03-31 12:20:22,008 [http-bio-6080-exec-4] INFO org.apache.ranger.security.listener.SpringEventListener (SpringEventListener.java:87) - Login Unsuccessful:d786090 | Ip Address:10.60.179.195 | Bad Credentials
I have tried the suggestions mentioned in the below URLs:
https://community.hortonworks.com/questions/27382/can-not-login-to-ranger-using-ldap-or-ad-user-afte... and https://community.hortonworks.com/questions/21800/can-not-login-to-ranger-using-ldap-user-after-user...
As mentioned in the above URLs, I have tried the below mentioned values for the "User Search Filter":
(uid=*)
sAMAccountName={0}
space
But that did not help. Can anyone help ?
Please note I am using "ldaps" i.e. my AD URL is of the format "ldaps://<AD Host>:636"
Thanks,
Ekantheshwara
Created 04-06-2017 04:29 AM
Ranger admin in HDP 2.5 has a new property for a truststore. So if using ldaps, you need to import the ldapserver cert to the ranger admin truststore , property name ranger.truststore.file. Although no log is being showed for failed connection to ldapserver, setting ranger debug will show that ranger admin is not able to establish ssl connection to ldap server and there by not able to validate the user login.
For ranger usersync has similar property ranger.usersync.truststore.file which must already have ldap server cert in it as you have mentioned usersync is working fine. Use the same truststore file for ranger.truststore.file and see if it works.
Make sure that you set the UserSerachFilter as sAMAccountName={0} if using AD for ldap accounts.
Created 04-05-2017 10:52 PM
@santosh nukala @Avijeet Dash @spolavarapu @Sagar Shimpi
Any ideas ?
Created 04-06-2017 04:29 AM
Ranger admin in HDP 2.5 has a new property for a truststore. So if using ldaps, you need to import the ldapserver cert to the ranger admin truststore , property name ranger.truststore.file. Although no log is being showed for failed connection to ldapserver, setting ranger debug will show that ranger admin is not able to establish ssl connection to ldap server and there by not able to validate the user login.
For ranger usersync has similar property ranger.usersync.truststore.file which must already have ldap server cert in it as you have mentioned usersync is working fine. Use the same truststore file for ranger.truststore.file and see if it works.
Make sure that you set the UserSerachFilter as sAMAccountName={0} if using AD for ldap accounts.
Created 08-28-2018 10:10 AM
Great, this was actually my case.
Thanks
Created 04-06-2017 07:09 AM
@rguruvannagari
Thanks for responding to my question.
You are right. The usersync config was pointing to the right trust store file while ranger admin was pointing to a wrong one. I pointed ranger admin to the right one. And I set the User Search Filter with the value sAMAccountName={0}. However, I continue to get the same error.
Also, when I set the root Logger to debug mode(under Advanced admin-log4j), the generated logs are not very helpful. This is what I get:
2017-04-03 09:29:58,710 [http-bio-6080-exec-3] DEBUG org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter (AbstractAuthenticationProcessingFilter.java:346) - Authentication request failed: org.springframework.security.authentication.BadCredentialsException: Bad credentials 2017-04-03 09:29:58,710 [http-bio-6080-exec-3] DEBUG org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter (AbstractAuthenticationProcessingFilter.java:347) - Updated SecurityContextHolder to contain null Authentication 2017-04-03 09:29:58,711 [http-bio-6080-exec-3] DEBUG org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter (AbstractAuthenticationProcessingFilter.java:348) - Delegating to authentication failure handler org.apache.ranger.security.web.authentication.RangerAuthFailureHandler@22c447dd 2017-04-03 09:29:58,711 [http-bio-6080-exec-3] DEBUG apache.ranger.security.web.authentication.RangerAuthFailureHandler (RangerAuthFailureHandler.java:74) - commence() X-Requested-With=XMLHttpRequest 2017-04-03 09:29:58,714 [http-bio-6080-exec-3] DEBUG apache.ranger.security.web.authentication.RangerAuthFailureHandler (RangerAuthFailureHandler.java:114) - Sending login failed response : {"statusCode":401,"msgDesc":"The username or password you entered is incorrect.."}
How do I get the detailed log so that I know what exactly is the problem ?
Regards,
Ekanth
Created 04-06-2017 07:24 AM
This is not the complete log, generally if the authentication denied is from the ldap server end, you must see the ldap related exception before the one you pasted above. Please review complete debug log to find actual error.
And is it AD or ldap for authentication? You can modify the UserSearchFilter and set it same as you have in UserSync configuration.
Created 04-06-2017 10:50 PM
@rguruvannagari
I changed all the 'info' and 'warn' values under 'Advanced admin-log4j' to 'debug' (not just the root logger). Only then I started seeing detailed exceptions. After I pointed ranger admin to the right truststore file, I had not updated the password. The debug enabled logs clearly showed that the trust store password was wrong. I updated the correct password and now I am able to login as AD user.
Thanks a lot !
Regards,
Ekantheshwara Basappa