Support Questions
Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

Ranger - Usersync does not work with LDAPS

Labels:
hammad_ali
Contributor

Created ‎03-23-2018 10:44 AM

Dear Community Members,

We have just enabled, SSL on ranger and Ambari , ranger-admin and ambari just works fine as well, although we are not able to make usersync working with LDAPS since we are constantly getting the following

error.com.sun.jersey.api.client.ClientHandlerException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

We have followed the official HDP documentation placed here: https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.4/bk_security/content/configuring_ranger_for_...

Also tried the following article: https://community.hortonworks.com/questions/1018/how-to-configure-ranger-usync-for-ldap-ssl.html

This is also a bug: https://issues.apache.org/jira/browse/RANGER-840 but should have been resolved.

The certificates looks fine since we enabled other HTTPS services also with the same certificates, our cacert file is located at the following path: /etc/pki/ca-trust/extracted/java/cacerts

Following has been set for the ranger.usersync.truststore.file=/etc/pki/ca-trust/extracted/java/cacerts

HDP version: 2.6.4.0

Ranger version: 0.7

Any hints or pointer will be appreciated, thanks in advance.

Cheers !

Hammad

1,521 Views
0 Kudos
1 REPLY 1

gcunha
Contributor

Created ‎03-23-2018 03:26 PM

Hi @Hammad Ali,

That error seems to be because you are not using the correct SSL certificates for your AD/LDAP.

Assuming that you have a separate AD/LDAP instance, that AD/LDAP has is own SSL certificates and you should be using that specific SSL certificates and not the SSL certificates that you used to enable HTTPS.

Create a new key store and import all the public key certificates of the AD/LDAP including the CA and Intermediate of that SSL's.

Then update the following properties in "Advanced ranger-ugsync-site" in Ranger service:

ranger.usersync.truststore.file=/etc/security/clientKeys/all.jks
ranger.usersync.truststore.password=<PASSWORD>

Restart Ranger service.

Gonçalo

1,102 Views
0 Kudos
Take a Tour of the Community
Don't have an account?
Register
Announcements
Community Announcements
Introducing Community Tours
What's New @ Cloudera
Cloudera Machine Learning now supports adding or replacing GPUs in CML Workspaces
Product Announcements
[ANNOUNCE] Cloudera ODBC Connector version 2.6.16 for Impala Released
What's New @ Cloudera
CML's new Data Discovery and Visualization feature accelerates the data science process and reduces time to insights
What's New @ Cloudera
COD now supports replications for META regions enabled by default
View More Announcements
; ;