Support Questions
Find answers, ask questions, and share your expertise

can not login to ranger using LDAP user after user sync

can not login to ranger using LDAP user after user sync

Explorer

Hi,

I successfully configured and sync the users/groups with Ranger from LDAP. I see the users and groups successfully on the Ranger UI.

However, when I try to login to ranger UI using the LDAP user, it fails saying "invalid user credentials." There is no other information or exception.

In the audit log see the record of "wrong password" under login. However, validated that the user's password is correct by logging in as that user from console.

I followed the instructions as mentioned in --

https://community.hortonworks.com/articles/16696/ranger-ldap-integration.html

Assigned the LDAP user in the Ranger UI as "admin" role. Still does not work.

The configuration that I have is:

Enable User Sync --> Yes LDAP/AD URL --> ldap://ldap-server.com:389 Sync Source --> LDAP/AD Bind Anonymous --> No Bind User --> cn=root Bind User Password --> password for root Username Attribute --> uid User Object Class --> posixAccount User Search Base --> dc=hadoop,dc=com User Search Filter --> (uid=*) User Search Scope --> blank User Group Name Attribute --> cn Group User Map Sync --> Yes

Enable Group Sync --> Yes Group Member Attribute --> member Group Name Attribute --> cn Group Object Class --> posixGroup Group Search Base -->dc=hadoop,dc=com Group Search Filter --> (member=*)

I am expecting to be able to login into Ranger UI using the LDAP user, as mentioned in the article:

https://community.hortonworks.com/articles/16696/ranger-ldap-integration.html

Regards,

Madhavi.

12 REPLIES 12

Re: can not login to ranger using LDAP user after user sync

@Madhavi Amirneni

Have you restarted Ranger after config change ?

Re: can not login to ranger using LDAP user after user sync

@Madhavi Amirneni Can you also verify what is setting for Authentication Method under Ranger settings ? It should be set to AD.

Re: can not login to ranger using LDAP user after user sync

Explorer

Hi Shishir,

Yes, I have restarted Ranger after config. changes.

Also, the Authentication Method under Ranger is suppose to be set to LDAP not AD right? as that is what I am trying here.

And it is set to LDAP.

Re: can not login to ranger using LDAP user after user sync

Expert Contributor

Hi All,

I have the same problem, AD sync is working, I see the users/groups. But can't login.

The Error debug log is below -

2016-08-18 04:36:43,456 [http-bio-6080-exec-6] DEBUG apache.ranger.security.web.authentication.RangerAuthenticationEntryPoint (RangerAuthenticationEntryPoint.java:83) - commence() X-Requested-With=null 2016-08-18 04:36:50,699 [http-bio-6080-exec-2] DEBUG org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter (AbstractAuthenticationProcessingFilter.java:189) - Request is to process authentication 2016-08-18 04:36:50,859 [http-bio-6080-exec-2] DEBUG org.apache.ranger.security.handler.RangerAuthenticationProvider (RangerAuthenticationProvider.java:412) - AD Authentication Failed: org.springframework.dao.IncorrectResultSizeDataAccessException: Incorrect result size: expected 1, actual 222 at org.springframework.security.ldap.SpringSecurityLdapTemplate.searchForSingleEntryInternal(SpringSecurityLdapTemplate.java:243) at org.springframework.security.ldap.SpringSecurityLdapTemplate$3.executeWithContext(SpringSecurityLdapTemplate.java:198) at org.spr

2016-08-18 04:36:50,949 [http-bio-6080-exec-2] DEBUG org.apache.ranger.security.handler.RangerAuthenticationProvider (RangerAuthenticationProvider.java:283) - AD Authentication Failed: org.springframework.security.authentication.BadCredentialsException: Bad credentials at org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider.badCredentials(ActiveDirectoryLdapAuthenticationProvider.java:263) at org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider.badCredentials(ActiveDirectoryLdapAuthenticationProvider.java:268)

Caused by: org.springframework.security.ldap.authentication.ad.ActiveDirectoryAuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C9, comment: AcceptSecurityContext error, data 52e, v23f0] at org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider.raiseExceptionForErrorCode(ActiveDirectoryLdapAuthenticationProvider.java:220) ... 35 more Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C9, comment: AcceptSecurityContext error, data 52e, v23f0] at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3135) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3081) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2883) at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2797) at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Ld

2016-08-18 04:36:50,954 [http-bio-6080-exec-2] INFO org.apache.ranger.security.listener.SpringEventListener (SpringEventListener.java:87) - Login Unsuccessful:hr1 | Ip Address:10.143.52.108 | Bad Credentials 2016-08-18 04:36:50,955 [http-bio-6080-exec-2] DEBUG org.apache.ranger.common.db.JPABeanCallbacks (JPABeanCallbacks.java:54) - Security context not found for this request. obj=XXAuthSession={XXDBBase={createTime={Thu Aug 18 08:36:50 EDT 2016} updateTime={Thu Aug 18 08:36:50 EDT 2016} addedByUserId={null} updatedByUserId={null} }loginId={hr1} userId={null} extSessionId={F8D77820FE50F267123768631AFBB33E} authTime={Thu Aug 18 08:36:50 EDT 2016} authStatus={2} authType={1} authProvider={0} deviceType={0} requestIP={10.143.52.108} requestUserAgent={null} } java.lang.Throwable at org.apache.ranger.common.db.JPABeanCallbacks.onPrePersist(JPABeanCallbacks.java:54) at sun.reflect.GeneratedMethodAccessor103.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at org.eclipse.persistence.internal.security.PrivilegedAccessHelper.invokeMethod(PrivilegedAccessHelper.java:409) at org.eclipse.persistence.interna

This is important as I need to login as keyadmin so that KMS can work.

Thanks,

Avijeet

Re: can not login to ranger using LDAP user after user sync

Expert Contributor

This issue got resolved as soon as I changed the user-search-filter to a space from what i had earlier.

Thanks,

Avijeet

Re: can not login to ranger using LDAP user after user sync

New Contributor

Can you please tell me the exact value for user-search-filter. I am unable to login to ranger with LDAP user credentials. It would be very helpful if you share parameters of ldaps authentication.

Re: can not login to ranger using LDAP user after user sync

New Contributor

I also have same issue i'm not able to login to ranger UI with ldap user ... I have changed User Search Filter = (uid=*)

Re: can not login to ranger using LDAP user after user sync

Contributor

@santosh nukala does your issue solved with uid=* in hdp 2.5??

Re: can not login to ranger using LDAP user after user sync

New Contributor
,

Yes it resolved I have misconfigured some parameters for ldap group search..