[ https://issues.apache.org/jira/browse/AMBARI-24533?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sandor Molnar updated AMBARI-24533: ----------------------------------- Description: STR: 1. Install Ambari 2. Get certificate for secure LDAP (LDAPS) connection to your AD server. 3. Generate ambari truststore with LDAPS certificate. 4. Setup Ambari to use LDAPS with providing truststore. {code:java} 2018-08-20 18:38:04,763 DEBUG com.hw.commonuifrm.impl.commands.CommandExecutorImpl.executeCommand(): Sending command [(echo "admin" ; echo "admin") | ambari-server sync-ldap --users /tmp/users.txt --groups /tmp/groups.txt] 2018-08-20 18:38:05,666 DEBUG com.hw.commonuifrm.impl.commands.ProcessDataImpl.buildOutputAndErrorStreamData(): /usr/lib64/python2.7/getpass.py:83: GetPassWarning: Can not control echo on the terminal. passwd = fallback_getpass(prompt, stream) Warning: Password input may be echoed. Enter Ambari Admin password: 2018-08-20 18:38:07,169 INFO com.hw.ambari.ui.util.cluster_managers.LDAPClusterManager.ambariServerSyncLDAPWithAD(): Result: Using python /usr/bin/python Syncing with LDAP... Enter Ambari Admin login: Fetching LDAP configuration from DB. Syncing specified users and groups...ERROR: Exiting with exit code 1. REASON: Caught exception running LDAP sync. ***.com:636; nested exception is javax.naming.CommunicationException: ***.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching ***.com found.] 2018-08-20 18:38:07,170 INFO com.hw.ambari.ui.tests.console.ldap.TestLDAPSOnAD.test010_AmbariSynchronizeWithADThroughLDAPS(): AMBARI LDAPS synchronization result: Using python /usr/bin/python Syncing with LDAP... Enter Ambari Admin login: Fetching LDAP configuration from DB. Syncing specified users and groups...ERROR: Exiting with exit code 1. REASON: Caught exception running LDAP sync. ***.com:636; nested exception is javax.naming.CommunicationException: ***.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching ***.com found.]{code} The issue is that the AD server's certificate contains a section: {noformat} X509v3 Subject Alternative Name: othername:<unsupported>, DNS:***-2.COM{noformat} As you can see this is not the same that we use to connect to the AD server (***.com:636). Even if this is a certificate issue the connection could be open and we should be able to sync LDAP users/groups. *Important note*: it's reproducible only with OpenJDK (I used openjdk-1.8.0.181-3.b13.el7_5.x86_64); working properly with Oracle's JDK. +*Recommended solution*+ We can disable endpoint identification when the client is negotiating with the server during SSL handshake by setting _com.sun.jndi.ldap.object.disableEndpointIdentification_ to _true_ (see [https://github.com/ojdkbuild/lookaside_java-1.8.0-openjdk/blob/master/jdk/src/share/classes/com/sun/jndi/ldap/Connection.java#L386]). By default this should not be the case but end users may set this up when configuring LDAP if they face this issue. was: STR: 1. Install Ambari 2. Get certificate for secure LDAP (LDAPS) connection to your AD server. 3. Generate ambari truststore with LDAPS certificate. 4. Setup Ambari to use LDAPS with providing truststore. {code:java} 2018-08-20 18:38:04,763 DEBUG com.hw.commonuifrm.impl.commands.CommandExecutorImpl.executeCommand(): Sending command [(echo "admin" ; echo "admin") | ambari-server sync-ldap --users /tmp/users.txt --groups /tmp/groups.txt] 2018-08-20 18:38:05,666 DEBUG com.hw.commonuifrm.impl.commands.ProcessDataImpl.buildOutputAndErrorStreamData(): /usr/lib64/python2.7/getpass.py:83: GetPassWarning: Can not control echo on the terminal. passwd = fallback_getpass(prompt, stream) Warning: Password input may be echoed. Enter Ambari Admin password: 2018-08-20 18:38:07,169 INFO com.hw.ambari.ui.util.cluster_managers.LDAPClusterManager.ambariServerSyncLDAPWithAD(): Result: Using python /usr/bin/python Syncing with LDAP... Enter Ambari Admin login: Fetching LDAP configuration from DB. Syncing specified users and groups...ERROR: Exiting with exit code 1. REASON: Caught exception running LDAP sync. ***.com:636; nested exception is javax.naming.CommunicationException: ***.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching ***.com found.] 2018-08-20 18:38:07,170 INFO com.hw.ambari.ui.tests.console.ldap.TestLDAPSOnAD.test010_AmbariSynchronizeWithADThroughLDAPS(): AMBARI LDAPS synchronization result: Using python /usr/bin/python Syncing with LDAP... Enter Ambari Admin login: Fetching LDAP configuration from DB. Syncing specified users and groups...ERROR: Exiting with exit code 1. REASON: Caught exception running LDAP sync. ad-nano.qe.hortonworks.com:636; nested exception is javax.naming.CommunicationException: ad-nano.qe.hortonworks.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching ***.com found.]{code} The issue is that the AD server's certificate contains a section: {noformat} X509v3 Subject Alternative Name: othername:<unsupported>, DNS:***-2.COM{noformat} As you can see this is not the same that we use to connect to the AD server (***.com:636). Even if this is a certificate issue the connection could be open and we should be able to sync LDAP users/groups. *Important note*: it's reproducible only with OpenJDK (I used openjdk-1.8.0.181-3.b13.el7_5.x86_64); working properly with Oracle's JDK. +*Recommended solution*+ We can disable endpoint identification when the client is negotiating with the server during SSL handshake by setting _com.sun.jndi.ldap.object.disableEndpointIdentification_ to _true_ (see https://github.com/ojdkbuild/lookaside_java-1.8.0-openjdk/blob/master/jdk/src/share/classes/com/sun/jndi/ldap/Connection.java#L386). By default this should not be the case but end users may set this up when configuring LDAP if they face this issue. > Ambari Server Ldap Sync Failed upon subject alternative DNS name check > ---------------------------------------------------------------------- > > Key: AMBARI-24533 > URL: https://issues.apache.org/jira/browse/AMBARI-24533 > Project: Ambari > Issue Type: Bug > Components: ambari-server > Affects Versions: 2.7.1 > Reporter: Sandor Molnar > Assignee: Sandor Molnar > Priority: Critical > Fix For: 2.7.2 > > > STR: > 1. Install Ambari > 2. Get certificate for secure LDAP (LDAPS) connection to your AD server. > 3. Generate ambari truststore with LDAPS certificate. > 4. Setup Ambari to use LDAPS with providing truststore. > {code:java} > 2018-08-20 18:38:04,763 DEBUG > com.hw.commonuifrm.impl.commands.CommandExecutorImpl.executeCommand(): > Sending command [(echo "admin" ; echo "admin") | ambari-server sync-ldap > --users /tmp/users.txt --groups /tmp/groups.txt] > 2018-08-20 18:38:05,666 DEBUG > com.hw.commonuifrm.impl.commands.ProcessDataImpl.buildOutputAndErrorStreamData(): > /usr/lib64/python2.7/getpass.py:83: GetPassWarning: Can not control echo on > the terminal. > passwd = fallback_getpass(prompt, stream) > Warning: Password input may be echoed. > Enter Ambari Admin password: > 2018-08-20 18:38:07,169 INFO > com.hw.ambari.ui.util.cluster_managers.LDAPClusterManager.ambariServerSyncLDAPWithAD(): > Result: Using python /usr/bin/python > Syncing with LDAP... > Enter Ambari Admin login: > Fetching LDAP configuration from DB. > Syncing specified users and groups...ERROR: Exiting with exit code 1. > REASON: Caught exception running LDAP sync. ***.com:636; nested exception is > javax.naming.CommunicationException: ***.com:636 [Root exception is > javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: > No subject alternative DNS name matching ***.com found.] > 2018-08-20 18:38:07,170 INFO > com.hw.ambari.ui.tests.console.ldap.TestLDAPSOnAD.test010_AmbariSynchronizeWithADThroughLDAPS(): > AMBARI LDAPS synchronization result: Using python /usr/bin/python > Syncing with LDAP... > Enter Ambari Admin login: > Fetching LDAP configuration from DB. > Syncing specified users and groups...ERROR: Exiting with exit code 1. > REASON: Caught exception running LDAP sync. ***.com:636; nested exception is > javax.naming.CommunicationException: ***.com:636 [Root exception is > javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: > No subject alternative DNS name matching ***.com found.]{code} > The issue is that the AD server's certificate contains a section: > {noformat} > X509v3 Subject Alternative Name: othername:<unsupported>, > DNS:***-2.COM{noformat} > As you can see this is not the same that we use to connect to the AD server > (***.com:636). Even if this is a certificate issue the connection could be > open and we should be able to sync LDAP users/groups. > *Important note*: it's reproducible only with OpenJDK (I used > openjdk-1.8.0.181-3.b13.el7_5.x86_64); working properly with Oracle's JDK. > +*Recommended solution*+ > We can disable endpoint identification when the client is negotiating with > the server during SSL handshake by setting > _com.sun.jndi.ldap.object.disableEndpointIdentification_ to _true_ (see > [https://github.com/ojdkbuild/lookaside_java-1.8.0-openjdk/blob/master/jdk/src/share/classes/com/sun/jndi/ldap/Connection.java#L386]). > By default this should not be the case but end users may set this up when > configuring LDAP if they face this issue. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)