[
https://issues.apache.org/jira/browse/AMBARI-24533?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sandor Molnar updated AMBARI-24533:
-----------------------------------
Description:
STR:
1. Install Ambari
2. Get certificate for secure LDAP (LDAPS) connection to your AD server.
3. Generate ambari truststore with LDAPS certificate.
4. Setup Ambari to use LDAPS with providing truststore.
{code:java}
2018-08-20 18:38:04,763 DEBUG
com.hw.commonuifrm.impl.commands.CommandExecutorImpl.executeCommand(): Sending
command [(echo "admin" ; echo "admin") | ambari-server sync-ldap --users
/tmp/users.txt --groups /tmp/groups.txt]
2018-08-20 18:38:05,666 DEBUG
com.hw.commonuifrm.impl.commands.ProcessDataImpl.buildOutputAndErrorStreamData():
/usr/lib64/python2.7/getpass.py:83: GetPassWarning: Can not control echo on
the terminal.
passwd = fallback_getpass(prompt, stream)
Warning: Password input may be echoed.
Enter Ambari Admin password:
2018-08-20 18:38:07,169 INFO
com.hw.ambari.ui.util.cluster_managers.LDAPClusterManager.ambariServerSyncLDAPWithAD():
Result: Using python /usr/bin/python
Syncing with LDAP...
Enter Ambari Admin login:
Fetching LDAP configuration from DB.
Syncing specified users and groups...ERROR: Exiting with exit code 1.
REASON: Caught exception running LDAP sync. ***.com:636; nested exception is
javax.naming.CommunicationException: ***.com:636 [Root exception is
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException:
No subject alternative DNS name matching ***.com found.]
2018-08-20 18:38:07,170 INFO
com.hw.ambari.ui.tests.console.ldap.TestLDAPSOnAD.test010_AmbariSynchronizeWithADThroughLDAPS():
AMBARI LDAPS synchronization result: Using python /usr/bin/python
Syncing with LDAP...
Enter Ambari Admin login:
Fetching LDAP configuration from DB.
Syncing specified users and groups...ERROR: Exiting with exit code 1.
REASON: Caught exception running LDAP sync. ***.com:636; nested exception is
javax.naming.CommunicationException: ***.com:636 [Root exception is
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException:
No subject alternative DNS name matching ***.com found.]{code}
The issue is that the AD server's certificate contains a section:
{noformat}
X509v3 Subject Alternative Name: othername:<unsupported>,
DNS:***-2.COM{noformat}
As you can see this is not the same that we use to connect to the AD server
(***.com:636). Even if this is a certificate issue the connection could be open
and we should be able to sync LDAP users/groups.
*Important note*: it's reproducible only with OpenJDK (I used
openjdk-1.8.0.181-3.b13.el7_5.x86_64); working properly with Oracle's JDK.
+*Recommended solution*+
We can disable endpoint identification when the client is negotiating with the
server during SSL handshake by setting
_com.sun.jndi.ldap.object.disableEndpointIdentification_ to _true_ (see
[https://github.com/ojdkbuild/lookaside_java-1.8.0-openjdk/blob/master/jdk/src/share/classes/com/sun/jndi/ldap/Connection.java#L386]).
By default this should not be the case but end users may set this up when
configuring LDAP if they face this issue.
was:
STR:
1. Install Ambari
2. Get certificate for secure LDAP (LDAPS) connection to your AD server.
3. Generate ambari truststore with LDAPS certificate.
4. Setup Ambari to use LDAPS with providing truststore.
{code:java}
2018-08-20 18:38:04,763 DEBUG
com.hw.commonuifrm.impl.commands.CommandExecutorImpl.executeCommand(): Sending
command [(echo "admin" ; echo "admin") | ambari-server sync-ldap --users
/tmp/users.txt --groups /tmp/groups.txt]
2018-08-20 18:38:05,666 DEBUG
com.hw.commonuifrm.impl.commands.ProcessDataImpl.buildOutputAndErrorStreamData():
/usr/lib64/python2.7/getpass.py:83: GetPassWarning: Can not control echo on
the terminal.
passwd = fallback_getpass(prompt, stream)
Warning: Password input may be echoed.
Enter Ambari Admin password:
2018-08-20 18:38:07,169 INFO
com.hw.ambari.ui.util.cluster_managers.LDAPClusterManager.ambariServerSyncLDAPWithAD():
Result: Using python /usr/bin/python
Syncing with LDAP...
Enter Ambari Admin login:
Fetching LDAP configuration from DB.
Syncing specified users and groups...ERROR: Exiting with exit code 1.
REASON: Caught exception running LDAP sync. ***.com:636; nested exception is
javax.naming.CommunicationException: ***.com:636 [Root exception is
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException:
No subject alternative DNS name matching ***.com found.]
2018-08-20 18:38:07,170 INFO
com.hw.ambari.ui.tests.console.ldap.TestLDAPSOnAD.test010_AmbariSynchronizeWithADThroughLDAPS():
AMBARI LDAPS synchronization result: Using python /usr/bin/python
Syncing with LDAP...
Enter Ambari Admin login:
Fetching LDAP configuration from DB.
Syncing specified users and groups...ERROR: Exiting with exit code 1.
REASON: Caught exception running LDAP sync. ad-nano.qe.hortonworks.com:636;
nested exception is javax.naming.CommunicationException:
ad-nano.qe.hortonworks.com:636 [Root exception is
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException:
No subject alternative DNS name matching ***.com found.]{code}
The issue is that the AD server's certificate contains a section:
{noformat}
X509v3 Subject Alternative Name: othername:<unsupported>,
DNS:***-2.COM{noformat}
As you can see this is not the same that we use to connect to the AD server
(***.com:636). Even if this is a certificate issue the connection could be open
and we should be able to sync LDAP users/groups.
*Important note*: it's reproducible only with OpenJDK (I used
openjdk-1.8.0.181-3.b13.el7_5.x86_64); working properly with Oracle's JDK.
+*Recommended solution*+
We can disable endpoint identification when the client is negotiating with the
server during SSL handshake by setting
_com.sun.jndi.ldap.object.disableEndpointIdentification_ to _true_ (see
https://github.com/ojdkbuild/lookaside_java-1.8.0-openjdk/blob/master/jdk/src/share/classes/com/sun/jndi/ldap/Connection.java#L386).
By default this should not be the case but end users may set this up when
configuring LDAP if they face this issue.
> Ambari Server Ldap Sync Failed upon subject alternative DNS name check
> ----------------------------------------------------------------------
>
> Key: AMBARI-24533
> URL: https://issues.apache.org/jira/browse/AMBARI-24533
> Project: Ambari
> Issue Type: Bug
> Components: ambari-server
> Affects Versions: 2.7.1
> Reporter: Sandor Molnar
> Assignee: Sandor Molnar
> Priority: Critical
> Fix For: 2.7.2
>
>
> STR:
> 1. Install Ambari
> 2. Get certificate for secure LDAP (LDAPS) connection to your AD server.
> 3. Generate ambari truststore with LDAPS certificate.
> 4. Setup Ambari to use LDAPS with providing truststore.
> {code:java}
> 2018-08-20 18:38:04,763 DEBUG
> com.hw.commonuifrm.impl.commands.CommandExecutorImpl.executeCommand():
> Sending command [(echo "admin" ; echo "admin") | ambari-server sync-ldap
> --users /tmp/users.txt --groups /tmp/groups.txt]
> 2018-08-20 18:38:05,666 DEBUG
> com.hw.commonuifrm.impl.commands.ProcessDataImpl.buildOutputAndErrorStreamData():
> /usr/lib64/python2.7/getpass.py:83: GetPassWarning: Can not control echo on
> the terminal.
> passwd = fallback_getpass(prompt, stream)
> Warning: Password input may be echoed.
> Enter Ambari Admin password:
> 2018-08-20 18:38:07,169 INFO
> com.hw.ambari.ui.util.cluster_managers.LDAPClusterManager.ambariServerSyncLDAPWithAD():
> Result: Using python /usr/bin/python
> Syncing with LDAP...
> Enter Ambari Admin login:
> Fetching LDAP configuration from DB.
> Syncing specified users and groups...ERROR: Exiting with exit code 1.
> REASON: Caught exception running LDAP sync. ***.com:636; nested exception is
> javax.naming.CommunicationException: ***.com:636 [Root exception is
> javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException:
> No subject alternative DNS name matching ***.com found.]
> 2018-08-20 18:38:07,170 INFO
> com.hw.ambari.ui.tests.console.ldap.TestLDAPSOnAD.test010_AmbariSynchronizeWithADThroughLDAPS():
> AMBARI LDAPS synchronization result: Using python /usr/bin/python
> Syncing with LDAP...
> Enter Ambari Admin login:
> Fetching LDAP configuration from DB.
> Syncing specified users and groups...ERROR: Exiting with exit code 1.
> REASON: Caught exception running LDAP sync. ***.com:636; nested exception is
> javax.naming.CommunicationException: ***.com:636 [Root exception is
> javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException:
> No subject alternative DNS name matching ***.com found.]{code}
> The issue is that the AD server's certificate contains a section:
> {noformat}
> X509v3 Subject Alternative Name: othername:<unsupported>,
> DNS:***-2.COM{noformat}
> As you can see this is not the same that we use to connect to the AD server
> (***.com:636). Even if this is a certificate issue the connection could be
> open and we should be able to sync LDAP users/groups.
> *Important note*: it's reproducible only with OpenJDK (I used
> openjdk-1.8.0.181-3.b13.el7_5.x86_64); working properly with Oracle's JDK.
> +*Recommended solution*+
> We can disable endpoint identification when the client is negotiating with
> the server during SSL handshake by setting
> _com.sun.jndi.ldap.object.disableEndpointIdentification_ to _true_ (see
> [https://github.com/ojdkbuild/lookaside_java-1.8.0-openjdk/blob/master/jdk/src/share/classes/com/sun/jndi/ldap/Connection.java#L386]).
> By default this should not be the case but end users may set this up when
> configuring LDAP if they face this issue.
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
