Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Not able to login to Ranger as AD user, however, UserSync works fine.

avatar
Rising Star

I am using AD authentication for Ranger in HDP 2.5.0. The UserSync works fine and I am able to see the AD Users and Groups in Ranger.

However, I am not able to login as an AD User. The UI says "The username or password you entered is incorrect". The log says:

2017-03-31 12:20:22,008 [http-bio-6080-exec-4] INFO org.apache.ranger.security.listener.SpringEventListener (SpringEventListener.java:87) - Login Unsuccessful:d786090 | Ip Address:10.60.179.195 | Bad Credentials

I have tried the suggestions mentioned in the below URLs:

https://community.hortonworks.com/questions/27382/can-not-login-to-ranger-using-ldap-or-ad-user-afte... and https://community.hortonworks.com/questions/21800/can-not-login-to-ranger-using-ldap-user-after-user...

As mentioned in the above URLs, I have tried the below mentioned values for the "User Search Filter":

(uid=*)

sAMAccountName={0}

space

But that did not help. Can anyone help ?

Please note I am using "ldaps" i.e. my AD URL is of the format "ldaps://<AD Host>:636"

Thanks,

Ekantheshwara

1 ACCEPTED SOLUTION

avatar
Super Collaborator

@Ekantheshwara Basappa

Ranger admin in HDP 2.5 has a new property for a truststore. So if using ldaps, you need to import the ldapserver cert to the ranger admin truststore , property name ranger.truststore.file. Although no log is being showed for failed connection to ldapserver, setting ranger debug will show that ranger admin is not able to establish ssl connection to ldap server and there by not able to validate the user login.

For ranger usersync has similar property ranger.usersync.truststore.file which must already have ldap server cert in it as you have mentioned usersync is working fine. Use the same truststore file for ranger.truststore.file and see if it works.

Make sure that you set the UserSerachFilter as sAMAccountName={0} if using AD for ldap accounts.

View solution in original post

6 REPLIES 6

avatar
Rising Star

avatar
Super Collaborator

@Ekantheshwara Basappa

Ranger admin in HDP 2.5 has a new property for a truststore. So if using ldaps, you need to import the ldapserver cert to the ranger admin truststore , property name ranger.truststore.file. Although no log is being showed for failed connection to ldapserver, setting ranger debug will show that ranger admin is not able to establish ssl connection to ldap server and there by not able to validate the user login.

For ranger usersync has similar property ranger.usersync.truststore.file which must already have ldap server cert in it as you have mentioned usersync is working fine. Use the same truststore file for ranger.truststore.file and see if it works.

Make sure that you set the UserSerachFilter as sAMAccountName={0} if using AD for ldap accounts.

avatar
Contributor

Great, this was actually my case.

Thanks

avatar
Rising Star

@rguruvannagari

Thanks for responding to my question.

You are right. The usersync config was pointing to the right trust store file while ranger admin was pointing to a wrong one. I pointed ranger admin to the right one. And I set the User Search Filter with the value sAMAccountName={0}. However, I continue to get the same error.

Also, when I set the root Logger to debug mode(under Advanced admin-log4j), the generated logs are not very helpful. This is what I get:

2017-04-03 09:29:58,710 [http-bio-6080-exec-3] DEBUG org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter (AbstractAuthenticationProcessingFilter.java:346) - Authentication request failed: org.springframework.security.authentication.BadCredentialsException: Bad credentials 2017-04-03 09:29:58,710 [http-bio-6080-exec-3] DEBUG org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter (AbstractAuthenticationProcessingFilter.java:347) - Updated SecurityContextHolder to contain null Authentication 2017-04-03 09:29:58,711 [http-bio-6080-exec-3] DEBUG org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter (AbstractAuthenticationProcessingFilter.java:348) - Delegating to authentication failure handler org.apache.ranger.security.web.authentication.RangerAuthFailureHandler@22c447dd 2017-04-03 09:29:58,711 [http-bio-6080-exec-3] DEBUG apache.ranger.security.web.authentication.RangerAuthFailureHandler (RangerAuthFailureHandler.java:74) - commence() X-Requested-With=XMLHttpRequest 2017-04-03 09:29:58,714 [http-bio-6080-exec-3] DEBUG apache.ranger.security.web.authentication.RangerAuthFailureHandler (RangerAuthFailureHandler.java:114) - Sending login failed response : {"statusCode":401,"msgDesc":"The username or password you entered is incorrect.."}

How do I get the detailed log so that I know what exactly is the problem ?

Regards,

Ekanth

avatar
Super Collaborator

This is not the complete log, generally if the authentication denied is from the ldap server end, you must see the ldap related exception before the one you pasted above. Please review complete debug log to find actual error.

And is it AD or ldap for authentication? You can modify the UserSearchFilter and set it same as you have in UserSync configuration.

avatar
Rising Star

@rguruvannagari

I changed all the 'info' and 'warn' values under 'Advanced admin-log4j' to 'debug' (not just the root logger). Only then I started seeing detailed exceptions. After I pointed ranger admin to the right truststore file, I had not updated the password. The debug enabled logs clearly showed that the trust store password was wrong. I updated the correct password and now I am able to login as AD user.

Thanks a lot !

Regards,

Ekantheshwara Basappa