Support Questions
Find answers, ask questions, and share your expertise
Announcements
Check out our newest addition to the community, the Cloudera Innovation Accelerator group hub.

com.cloudera.server.web.cmf.CmfLdapAuthenticationProvider: LDAP/AD authentication failed

Explorer

Hi,

We are running CDH 5.4.5 with Kerberos and OpenLDAP. While integration of OpenLDAP into Hue went smoothly, I'm struggling with configuring external authentication in Cloudera Manager:

/var/log/cloudera-scm-server/cloudera-scm-server.log shows issues in LDAP/AD authentication (we have a fallback to database active)

scm-web-107:com.cloudera.server.web.cmf.CmfLdapAuthenticationProvider: LDAP/AD authentication failure for USERNAME

The CM external auth config is like follows:
 
Authentication Backend Order - External then Database
External Authentication Type - LDAP
LDAP URL - ldap://hostname:389 (the same as in Hue)
LDAP Bind User Distinguished Name - cn=ourproxyuser,ou=users,dc=mycompany,dc=com
LDAP Bind Password - (*****)
LDAP User Search Filter - (uid={0})
LDAP User Search Base - OU=users,dc=mycompany,dc=com
LDAP Group Search Filter - (memberUID={1})
LDAP Group Search Base - OU=groups,dc=mycompany,dc=com
LDAP Distinguished Name Pattern  - cn={0},OU=users,DC=mycompany,dc=com
 
all other attributes are empty (or default)
 
From what I can see in slapd.log
 
# tail -f /var/log/slapd.log
Sep 21 18:09:36 hostname slapd[37748]: slap_listener_activate(7):
Sep 21 18:09:36 hostname slapd[37748]: >>> slap_listener(ldap:///)
Sep 21 18:09:36 hostname slapd[37748]: connection_get(50): got connid=1036
Sep 21 18:09:36 hostname slapd[37748]: connection_read(50): checking for input on id=1036
Sep 21 18:09:36 hostname slapd[37748]: op tag 0x60, time 1442848176
Sep 21 18:09:36 hostname slapd[37748]: conn=1036 op=0 do_bind
Sep 21 18:09:36 hostname slapd[37748]: >>> dnPrettyNormal: <cn=USERNAME,ou=users,dc=mycompany,dc=com>
Sep 21 18:09:36 hostname slapd[37748]: <<< dnPrettyNormal: <cn=USERNAME,ou=users,dc=mycompany,dc=com>, <cn=USERNAME,ou=users,dc=mycompany,dc=com>
Sep 21 18:09:36 hostname slapd[37748]: do_bind: version=3 dn="cn=USERNAME,ou=users,dc=mycompany,dc=com" method=128
Sep 21 18:09:36 hostname slapd[37748]: bdb_dn2entry("cn=USERNAME,ou=users,dc=mycompany,dc=com")
Sep 21 18:09:36 hostname slapd[37748]: do_bind: v3 bind: "cn=USERNAME,ou=users,dc=mycompany,dc=com" to "cn=USERNAME,ou=users,dc=mycompany,dc=com"
Sep 21 18:09:36 hostname slapd[37748]: send_ldap_result: conn=1036 op=0 p=3
Sep 21 18:09:36 hostname slapd[37748]: send_ldap_response: msgid=1 tag=97 err=0
Sep 21 18:09:36 hostname slapd[37748]: connection_get(50): got connid=1036
Sep 21 18:09:36 hostname slapd[37748]: connection_read(50): checking for input on id=1036
Sep 21 18:09:36 hostname slapd[37748]: op tag 0x63, time 1442848176
Sep 21 18:09:36 hostname slapd[37748]: conn=1036 op=1 do_search
Sep 21 18:09:36 hostname slapd[37748]: >>> dnPrettyNormal: <cn=USERNAME,ou=users,dc=mycompany,dc=com>
Sep 21 18:09:36 hostname slapd[37748]: <<< dnPrettyNormal: <cn=USERNAME,ou=users,dc=mycompany,dc=com>, <cn=USERNAME,ou=users,dc=mycompany,dc=com>
Sep 21 18:09:36 hostname slapd[37748]: => get_ctrls
Sep 21 18:09:36 hostname slapd[37748]: => get_ctrls: oid="2.16.840.1.113730.3.4.2" (noncritical)
Sep 21 18:09:36 hostname slapd[37748]: <= get_ctrls: n=1 rc=0 err=""
Sep 21 18:09:36 hostname slapd[37748]: ==> limits_get: conn=1036 op=1 self="cn=USERNAME,ou=users,dc=mycompany,dc=com" this="cn=USERNAME,ou=users,dc=mycompany,dc=com"
Sep 21 18:09:36 hostname slapd[37748]: => bdb_search
Sep 21 18:09:36 hostname slapd[37748]: bdb_dn2entry("cn=USERNAME,ou=users,dc=mycompany,dc=com")
Sep 21 18:09:36 hostname slapd[37748]: send_ldap_result: conn=1036 op=1 p=3
Sep 21 18:09:36 hostname slapd[37748]: send_ldap_response: msgid=2 tag=101 err=32
Sep 21 18:09:36 hostname slapd[37748]: connection_get(50): got connid=1036
Sep 21 18:09:36 hostname slapd[37748]: connection_read(50): checking for input on id=1036
Sep 21 18:09:36 hostname slapd[37748]: op tag 0x42, time 1442848176
Sep 21 18:09:36 hostname slapd[37748]: ber_get_next on fd 50 failed errno=0 (Success)
Sep 21 18:09:36 hostname slapd[37748]: conn=1036 op=2 do_unbind
Sep 21 18:09:36 hostname slapd[37748]: connection_close: conn=1036 sd=50

 

there is an error "send_ldap_response: msgid=2 tag=101 err=32", but I just don't know why. How can I investigate this further?

 

Thanks in advance,

 

Regards,

Slavo

1 ACCEPTED SOLUTION

Explorer

Hi all,

 

found a solution on my own. The reason for my issue was, that CM is using the access rights of the CM user for searching in LDAP and not that of the bind user.

 

In my LDAP config, the ACLs were preventing users from searching in the users subtree. Only a proxy user (CM bind user) was allowed to search there.

 

After fixing this by adding "by self read" to ACLs for users subtree, everything works fine.

 

Regards,

Slavo

View solution in original post

1 REPLY 1

Explorer

Hi all,

 

found a solution on my own. The reason for my issue was, that CM is using the access rights of the CM user for searching in LDAP and not that of the bind user.

 

In my LDAP config, the ACLs were preventing users from searching in the users subtree. Only a proxy user (CM bind user) was allowed to search there.

 

After fixing this by adding "by self read" to ACLs for users subtree, everything works fine.

 

Regards,

Slavo