Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

knox : LDAP setup : How to specify a password toconnect to the LDAP server ?

knox : LDAP setup : How to specify a password toconnect to the LDAP server ?

Contributor

Hello,

I'm currently setting up Knox (and Ranger) on my cluster, and I'm experiencing issues having Knox to connect to my OpenLDAP servers in order to authenticate users.

(For information, I did already setup Ambari and Ranger (+usersync) to sync with my OpenLDAP server and It works fine.)

While testing the following command :

# /usr/hdp/2.5.0.0-1245/knox/bin/knoxcli.sh user-auth-test --cluster default --u <mylogin> --p <my_password> --g --d

I get the following output :

org.apache.shiro.authc.AuthenticationException: LDAP authentication failed. [LDAP: error code 49 - Invalid Credentials]

This message makes sense as I don't know how to specify a password to connect to the LDAP server within my Knox configuration (topology).

Is there a specific param entries that allow to indicate this password ?

Thanks in advance.

Kind regards

Laurent

3 REPLIES 3

Re: knox : LDAP setup : How to specify a password toconnect to the LDAP server ?

Put this into your topology .xml file, replacing systemUserName and password with your values (for production the password can be stored in a credential store). For more details check this page.

<param>
  <name>main.ldapRealm.contextFactory.systemUsername</name>
  <value>cn=john,ou=admins,ou=ABC,dc=example,dc=net</value>
</param>
<param>
  <name>main.ldapRealm.contextFactory.systemPassword</name>
  <value>mysecretpassowrd</value>
</param>

Re: knox : LDAP setup : How to specify a password toconnect to the LDAP server ?

Contributor

Thanks Predrag ! The authentication works , .....but I endup with another java error.

Any clue ?

LDAP authentication successful!

java.lang.NullPointerException at javax.naming.InitialContext.getURLScheme(InitialContext.java:294) at javax.naming.InitialContext.getURLOrDefaultInitCtx(InitialContext.java:343) at javax.naming.directory.InitialDirContext.getURLOrDefaultInitDirCtx(InitialDirContext.java:106) at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:267) at org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm.rolesFor(KnoxLdapRealm.java:254) at org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm.getRoles(KnoxLdapRealm.java:237) at org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm.queryForAuthorizationInfo(KnoxLdapRealm.java:223) at org.apache.shiro.realm.ldap.JndiLdapRealm.doGetAuthorizationInfo(JndiLdapRealm.java:313) at org.apache.shiro.realm.AuthorizingRealm.getAuthorizationInfo(AuthorizingRealm.java:341) at org.apache.shiro.realm.AuthorizingRealm.hasRole(AuthorizingRealm.java:571) at org.apache.shiro.authz.ModularRealmAuthorizer.hasRole(ModularRealmAuthorizer.java:374) at org.apache.shiro.mgt.AuthorizingSecurityManager.hasRole(AuthorizingSecurityManager.java:153) at org.apache.shiro.subject.support.DelegatingSubject.hasRole(DelegatingSubject.java:224) at org.apache.hadoop.gateway.util.KnoxCLI$LDAPAuthCommand.getGroups(KnoxCLI.java:1434) at org.apache.hadoop.gateway.util.KnoxCLI$LDAPAuthCommand.execute(KnoxCLI.java:1404) at org.apache.hadoop.gateway.util.KnoxCLI.run(KnoxCLI.java:138) at org.apache.hadoop.util.ToolRunner.run(ToolRunner.java:76) at org.apache.hadoop.gateway.util.KnoxCLI.main(KnoxCLI.java:1675) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.hadoop.gateway.launcher.Invoker.invokeMainMethod(Invoker.java:70) at org.apache.hadoop.gateway.launcher.Invoker.invoke(Invoker.java:39) at org.apache.hadoop.gateway.launcher.C at org.apache.hadoop.gateway.launcher.L at org.apache.hadoop.gateway.launcher.L

Re: knox : LDAP setup : How to specify a password toconnect to the LDAP server ?

Check again all entries in your ShiroProvider (refer to sample 7 in the link I provided), in particular those related to groups, names beginning in "main.ldapRealm.group". You can also remove all group related entries to make sure user sync works, and then add groups alter. For user sync, besides userSearchBase and userSearchAttributeName you can also use userDnTemplate. And if my answer was helpful please consider to accept it and/or upvote it. Tnx!

Don't have an account?
Coming from Hortonworks? Activate your account here