Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

com.cloudera.server.web.cmf.CmfLdapAuthenticationProvider: LDAP/AD authentication failed

avatar
Contributor

External authentication with active directory is working for ALL users except one ID. Other users in the same group can access cloudera manager too.

Getting following error.

 

Is this user's active directory setting issue?

Is this a bug?

Am I missing some setting in cloudera manager?

 

2015-09-08 16:36:17,767 INFO 1305153855@scm-web-14:org.springframework.security.ldap.SpringSecurityLdapTemplate: Ignoring PartialResultException
2015-09-08 16:36:17,767 ERROR 1305153855@scm-web-14:com.cloudera.server.web.cmf.CmfLdapAuthenticationProvider: LDAP/AD authentication failed
org.springframework.dao.IncorrectResultSizeDataAccessException: Incorrect result size: expected 1, actual 0
         at org.springframework.security.ldap.SpringSecurityLdapTemplate.searchForSingleEntryInternal(SpringSecurityLdapTemplate.java:239)
         at org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider.searchForUser(ActiveDirectoryLdapAuthenticationProvider.java:258)
         at org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider.doAuthentication(ActiveDirectoryLdapAuthenticationProvider.java:114)
         at org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider.authenticate(AbstractLdapAuthenticationProvider.java:61)
         at com.cloudera.server.web.cmf.CmfLdapAuthenticationProvider.authenticate(CmfLdapAuthenticationProvider.java:104)
         at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
         at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:174)
         at org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter.attemptAuthentication(UsernamePasswordAuthenticationFilter.java:94)
         at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:194)
         at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
         at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105)
         at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
         at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
         at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
         at org.springframework.security.web.session.ConcurrentSessionFilter.doFilter(ConcurrentSessionFilter.java:125)
         at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
         at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:173)
         at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
         at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
         at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1212)
         at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88)
         at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
         at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1212)
         at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:399)
         at org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:216)
         at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:182)
         at org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:216)
         at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:767)
         at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:450)
         at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
         at org.mortbay.jetty.handler.StatisticsHandler.handle(StatisticsHandler.java:53)
         at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
         at org.mortbay.jetty.Server.handle(Server.java:326)
         at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:542)
         at org.mortbay.jetty.HttpConnection$RequestHandler.content(HttpConnection.java:945)
         at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:756)
         at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:218)
         at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:404)
         at org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:410)
         at org.mortbay.thread.QueuedThreadPool$PoolThread.run(QueuedThreadPool.java:582)
2015-09-08 16:36:17,771 INFO 1305153855@scm-web-14:com.cloudera.server.web.cmf.AuthenticationFailureEventListener: Authentication failure for user: user123

1 ACCEPTED SOLUTION

avatar
Contributor

Thanks for the reponse!

My issue is resolved.

Issue:

When Active directory is selected the spring providers were converting the userID to UserPrincipalName by appending @domain.

user123 was converted to user123@xyz.corp.com and being authenticated against active directory.

For some employess UserPrincipal name was different. It was user1234@newXYZ.com.

That's why it was working for some users and not others even if they were in same group which was granted access.

 

Solution:

We did not want to customize or update the srping code\xml files. So instead of "Active Directory" option we selected "LDAP".

Had to add the bind user and password.

 

View solution in original post

4 REPLIES 4

avatar
Cloudera Employee

Hi,

 

I believe this is likely a configuration issue with your Active Directory (AD) installation, and how ClouderaMmanager uses Spring.

The key is the first line to diagnosing this:

 

 

2015-09-08 16:36:17,767 INFO 1305153855@scm-web-14:org.springframework.security.ldap.SpringSecurityLdapTemplate: Ignoring PartialResultException

 

This might happen if your AD is configured to allow referrals, and this user who has trouble logging in is in a different 

AD CN or directory partition than the AD instance currently configured for use with your CM.

 

The utility we use does not currently support following LDAP referrals.

avatar
Contributor

Thanks for the reponse!

My issue is resolved.

Issue:

When Active directory is selected the spring providers were converting the userID to UserPrincipalName by appending @domain.

user123 was converted to user123@xyz.corp.com and being authenticated against active directory.

For some employess UserPrincipal name was different. It was user1234@newXYZ.com.

That's why it was working for some users and not others even if they were in same group which was granted access.

 

Solution:

We did not want to customize or update the srping code\xml files. So instead of "Active Directory" option we selected "LDAP".

Had to add the bind user and password.

 

avatar
Expert Contributor

@Jayesh Seshadri

 

Is there any limitation on the character size or special characters in the password that are not allowed ?

 

I have the same issue and switching to ldap also does not work. 

 

After looking firther, I am able to login with my password, however when i try with a functional user where the username is  "abc_efg_scd_dfc" password is   "a61Odc7zxxaGArlSInIUYu-iq"  it does not work 

 

Do the username/password have any limitations ? 

avatar
Master Guru

@desind,

 

No limit that I know of on the CM side.

Please start a new thread and provide your LDAP configuration, what happens in the logs and also the "abc_efg_scd_dfc" user LDIF entry.

 

There are lots of reasons for failures, so it is important we start with what you observe and the items involved.