Support Questions
Find answers, ask questions, and share your expertise

Ranger Usersync with LDAPS not working

Expert Contributor

Hello Everyone,

 

I've recently installed Ranger on CDP Private Cloud Base 7.1.5.

For usersync, I'm connecting to my organization AD. For some reason, the usersync is throwing SSLHandshakeException and is not working.

 

2021-04-10 13:41:28,715 ERROR org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder: LdapUserGroupBuilder.getUsers() failed with exception:
javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: simple bind failed: <AD Domain>:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]]
        at com.sun.jndi.ldap.AbstractLdapNamingEnumeration.hasMoreImpl(AbstractLdapNamingEnumeration.java:237)
        at com.sun.jndi.ldap.AbstractLdapNamingEnumeration.hasMore(AbstractLdapNamingEnumeration.java:189)
        at org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.getUsers(LdapUserGroupBuilder.java:435)
        at org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.updateSink(LdapUserGroupBuilder.java:325)
        at org.apache.ranger.usergroupsync.UserGroupSync.syncUserGroup(UserGroupSync.java:100)
        at org.apache.ranger.usergroupsync.UserGroupSync.run(UserGroupSync.java:55)
        at java.lang.Thread.run(Thread.java:748)
Caused by: javax.naming.CommunicationException: simple bind failed: <AD Domain>:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
        at com.sun.jndi.ldap.LdapReferralContext.<init>(LdapReferralContext.java:96)
        at com.sun.jndi.ldap.LdapReferralException.getReferralContext(LdapReferralException.java:151)
        at com.sun.jndi.ldap.AbstractLdapNamingEnumeration.hasMoreReferrals(AbstractLdapNamingEnumeration.java:325)
        at com.sun.jndi.ldap.AbstractLdapNamingEnumeration.hasMoreImpl(AbstractLdapNamingEnumeration.java:227)
        ... 6 more
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.ssl.Alert.createSSLException(Alert.java:131)
        at sun.security.ssl.TransportContext.fatal(TransportContext.java:353)
        at sun.security.ssl.TransportContext.fatal(TransportContext.java:296)
        at sun.security.ssl.TransportContext.fatal(TransportContext.java:291)
        at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:652)
        at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:471)
        at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:367)
        at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:376)
        at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
        at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:422)
        at sun.security.ssl.TransportContext.dispatch(TransportContext.java:183)
        at sun.security.ssl.SSLTransport.decode(SSLTransport.java:154)
        at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1279)
        at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1188)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:401)
        at sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:808)
        at sun.security.ssl.SSLSocketImpl.access$200(SSLSocketImpl.java:75)
        at sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:1093)
        at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
        at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
        at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:450)
        at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:423)
        at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:359)
        at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214)
        at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2895)
        at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:348)
        at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxFromUrl(LdapCtxFactory.java:225)
        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:189)
        at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:152)
        at com.sun.jndi.url.ldap.ldapURLContextFactory.getObjectInstance(ldapURLContextFactory.java:52)
        at javax.naming.spi.NamingManager.getURLObject(NamingManager.java:601)
        at javax.naming.spi.NamingManager.processURL(NamingManager.java:381)
        at javax.naming.spi.NamingManager.processURLAddrs(NamingManager.java:361)
        at javax.naming.spi.NamingManager.getObjectInstance(NamingManager.java:333)
        at com.sun.jndi.ldap.LdapReferralContext.<init>(LdapReferralContext.java:119)
        ... 9 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
        at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
        at sun.security.validator.Validator.validate(Validator.java:271)
        at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:312)
        at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:221)
        at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:128)
        at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:636)
        ... 39 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
        at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
        at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)
        ... 45 more
2021-04-10 13:41:28,718 INFO org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder: LdapUserGroupBuilder.getUsers() user count: 0
2021-04-10 13:41:28,721 INFO org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder: deltaSyncUserTime = 0 and highestdeltaSyncUserTime = 0
2021-04-10 13:41:28,721 INFO org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder: deltaSyncGroupTime = 0 and highestdeltaSyncGroupTime = 0

 

 

I've imported the LDAPS Certificate to /usr/java/default/jre/lib/security/cacerts and the following property is set to this path.

ranger.usersync.truststore.file = /usr/java/default/jre/lib/security/cacerts
 
The surprising thing is my usersync LDAP URL is set as follows:
ranger.usersync.ldap.url = ldaps://<AD Domain Controller Server1>:636
 
but in the error I'm getting "simple bind failed: <AD Domain>:636".
 
With the same configuration for all other properties the Ranger Admin Authentication with AD works perfectly, but usersync is not happening.
 
Things I've already tried:
  1. From this link, I tried adding -Djavax.net.ssl.trustStore=/<path to the cacert> in ranger-usersync-services.sh file.
  2. From this link, I've tried adding ranger.usersync.sink.impl.class property in my config.
  3. Experimented with User search/Group Search settings.

Kindly add your suggestions.

 

Thanks,

Megh

6 REPLIES 6

Re: Ranger Usersync with LDAPS not working

Expert Contributor

Hello

 

Referring to this old HDP documentation, double check the "ranger.usersync.truststore.file" should be the Ranger Admin's self-signed keystore; the command to create it is in below link

 

https://docs.cloudera.com/HDPDocuments/HDP3/HDP-3.0.1/configuring-wire-encryption/content/configurin...

Re: Ranger Usersync with LDAPS not working

Expert Contributor

Hi @Daming Xue ,

 

The link you've shared is broken. Can you please re-share?

 

Thanks,

Megh

Re: Ranger Usersync with LDAPS not working

Expert Contributor

Re: Ranger Usersync with LDAPS not working

Expert Contributor

Hi @Daming Xue ,

 

I had tried this one as well. Putting mytruststore.jks file into /etc/ranger/usersync/conf/ directory.

 

But since this is Cloudera, the file gets dropped at the next restart since for each restart the config is refreshed to the latest running pid. So it didn't work out.

 

Thanks,

Megh

Re: Ranger Usersync with LDAPS not working

Expert Contributor

Hello

 

Have you explored the Auto-TLS feature?

 

https://blog.cloudera.com/auto-tls-in-cloudera-data-platform-data-center/

Re: Ranger Usersync with LDAPS not working

Expert Contributor

Hi @Daming Xue ,

 

I haven't explored Auto-TLS yet, but will check it out.

 

Thanks for sharing.

 

Thanks,

Megh