Created on 09-09-2015 03:27 PM - edited 09-16-2022 02:40 AM
External authentication with active directory is working for ALL users except one ID. Other users in the same group can access cloudera manager too.
Getting following error.
Is this user's active directory setting issue?
Is this a bug?
Am I missing some setting in cloudera manager?
2015-09-08 16:36:17,767 INFO 1305153855@scm-web-14:org.springframework.security.ldap.SpringSecurityLdapTemplate: Ignoring PartialResultException
2015-09-08 16:36:17,767 ERROR 1305153855@scm-web-14:com.cloudera.server.web.cmf.CmfLdapAuthenticationProvider: LDAP/AD authentication failed
org.springframework.dao.IncorrectResultSizeDataAccessException: Incorrect result size: expected 1, actual 0
at org.springframework.security.ldap.SpringSecurityLdapTemplate.searchForSingleEntryInternal(SpringSecurityLdapTemplate.java:239)
at org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider.searchForUser(ActiveDirectoryLdapAuthenticationProvider.java:258)
at org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider.doAuthentication(ActiveDirectoryLdapAuthenticationProvider.java:114)
at org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider.authenticate(AbstractLdapAuthenticationProvider.java:61)
at com.cloudera.server.web.cmf.CmfLdapAuthenticationProvider.authenticate(CmfLdapAuthenticationProvider.java:104)
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:174)
at org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter.attemptAuthentication(UsernamePasswordAuthenticationFilter.java:94)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:194)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
at org.springframework.security.web.session.ConcurrentSessionFilter.doFilter(ConcurrentSessionFilter.java:125)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:173)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1212)
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1212)
at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:399)
at org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:216)
at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:182)
at org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:216)
at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:767)
at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:450)
at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
at org.mortbay.jetty.handler.StatisticsHandler.handle(StatisticsHandler.java:53)
at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
at org.mortbay.jetty.Server.handle(Server.java:326)
at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:542)
at org.mortbay.jetty.HttpConnection$RequestHandler.content(HttpConnection.java:945)
at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:756)
at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:218)
at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:404)
at org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:410)
at org.mortbay.thread.QueuedThreadPool$PoolThread.run(QueuedThreadPool.java:582)
2015-09-08 16:36:17,771 INFO 1305153855@scm-web-14:com.cloudera.server.web.cmf.AuthenticationFailureEventListener: Authentication failure for user: user123
Created 09-11-2015 09:57 AM
Thanks for the reponse!
My issue is resolved.
Issue:
When Active directory is selected the spring providers were converting the userID to UserPrincipalName by appending @domain.
user123 was converted to user123@xyz.corp.com and being authenticated against active directory.
For some employess UserPrincipal name was different. It was user1234@newXYZ.com.
That's why it was working for some users and not others even if they were in same group which was granted access.
Solution:
We did not want to customize or update the srping code\xml files. So instead of "Active Directory" option we selected "LDAP".
Had to add the bind user and password.
Created 09-09-2015 10:53 PM
Hi,
I believe this is likely a configuration issue with your Active Directory (AD) installation, and how ClouderaMmanager uses Spring.
The key is the first line to diagnosing this:
2015-09-08 16:36:17,767 INFO 1305153855@scm-web-14:org.springframework.security.ldap.SpringSecurityLdapTemplate: Ignoring PartialResultException
This might happen if your AD is configured to allow referrals, and this user who has trouble logging in is in a different
AD CN or directory partition than the AD instance currently configured for use with your CM.
The utility we use does not currently support following LDAP referrals.
Created 09-11-2015 09:57 AM
Thanks for the reponse!
My issue is resolved.
Issue:
When Active directory is selected the spring providers were converting the userID to UserPrincipalName by appending @domain.
user123 was converted to user123@xyz.corp.com and being authenticated against active directory.
For some employess UserPrincipal name was different. It was user1234@newXYZ.com.
That's why it was working for some users and not others even if they were in same group which was granted access.
Solution:
We did not want to customize or update the srping code\xml files. So instead of "Active Directory" option we selected "LDAP".
Had to add the bind user and password.
Created 09-13-2018 01:53 PM
Is there any limitation on the character size or special characters in the password that are not allowed ?
I have the same issue and switching to ldap also does not work.
After looking firther, I am able to login with my password, however when i try with a functional user where the username is "abc_efg_scd_dfc" password is "a61Odc7zxxaGArlSInIUYu-iq" it does not work
Do the username/password have any limitations ?
Created 09-14-2018 05:57 PM
No limit that I know of on the CM side.
Please start a new thread and provide your LDAP configuration, what happens in the logs and also the "abc_efg_scd_dfc" user LDIF entry.
There are lots of reasons for failures, so it is important we start with what you observe and the items involved.