Re: Issues with usersync (LDAPS certificate not validated)
com> > Reply-To: "user@ranger.incubator.apache.org" < > user@ranger.incubator.apache.org> > Date: Monday, October 5, 2015 at 1:16 PM > To: "user@ranger.incubator.apache.org" <user@ranger.incubator.apache.org> > > Subject: Re: Issues with usersync (LDAPS certificate not validated) > > No there are no intermediate certificates. No i'm not using same trust > store for performing ldapsearch. I'm using > *TLS_CACERT /etc/ldap/cacert.pem* option in ldap.conf file > > On Mon, Oct 5, 2015 at 10:12 PM, Sailaja Polavarapu < > spolavar...@hortonworks.com> wrote: > >> Are there any intermediate certs? If so, are they also added in the trust >> store? >> And just to make sure, in the ldap configuration, are you using same >> trust store for performing ldapsearch? >> >> >> From: Aneela Saleem >> Reply-To: "user@ranger.incubator.apache.org" >> Date: Sunday, October 4, 2015 at 10:15 AM >> >> To: "user@ranger.incubator.apache.org" >> Subject: Re: Issues with usersync (LDAPS certificate not validated) >> >> Is there any issue with JAVA keystore? >> >> On Fri, Oct 2, 2015 at 9:59 AM, Aneela Saleem <ane...@platalytics.com> >> wrote: >> >>> Yes following command works fine >>> >>> ldapsearch -x -D "cn=aneela,ou=users,dc=platalytics,dc=com" -W -H >>> ldaps://platalytics.com:636 -b "dc=platalytics,dc=com" -s sub >>> 'cn=aneela' >>> >>> On Thu, Oct 1, 2015 at 7:35 PM, Don Bosco Durai <bo...@apache.org> >>> wrote: >>> >>>> It is surprising that it will just stop working. Are you able to do >>>> ldapsearch from command line? Just to make sure there is nothing wrong on >>>> the OpenLDAP side? >>>> >>>> Thanks >>>> >>>> Bosco >>>> >>>> >>>> From: Aneela Saleem <ane...@platalytics.com> >>>> Reply-To: <user@ranger.incubator.apache.org> >>>> Date: Thursday, October 1, 2015 at 11:55 PM >>>> >>>> To: <user@ranger.incubator.apache.org> >>>> Subject: Re: Issues with usersync (LDAPS certificate not validated) >>>> >>>> I also checked it on another machine. Same issue is there >>>> >>>> On Thu, Oct 1, 2015 at 10:03 PM, Aneela Saleem <ane...@platalytics.com> >>>> wrote: >>>> >>>>> I guess no JDK changes. And i re-checked certificate infact generated >>>>> a new one. Still same issue. >>>>> >>>>> On Thu, Oct 1, 2015 at 6:16 PM, Dilli Dorai <dilli.do...@gmail.com> >>>>> wrote: >>>>> >>>>>> Aneela, >>>>>> Please check whether the certificate has expired. >>>>>> Dilli >>>>>> >>>>>> On Wed, Sep 30, 2015 at 4:28 PM, Don Bosco Durai <bo...@apache.org> >>>>>> wrote: >>>>>> >>>>>>> Any other changes you can think of? JDK changes, etcs? >>>>>>> >>>>>>> Thanks >>>>>>> >>>>>>> Bosco >>>>>>> >>>>>>> >>>>>>> From: Aneela Saleem <ane...@platalytics.com> >>>>>>> Reply-To: <user@ranger.incubator.apache.org> >>>>>>> Date: Wednesday, September 30, 2015 at 9:37 PM >>>>>>> To: <user@ranger.incubator.apache.org> >>>>>>> Subject: Re: Issues with usersync (LDAPS certificate not validated) >>>>>>> >>>>>>> It was working fine one month ago. But now the same issue is >>>>>>> occurred. >>>>>>> >>>>>>> On Wed, Sep 30, 2015 at 2:55 PM, Aneela Saleem < >>>>>>> ane...@platalytics.com> wrote: >>>>>>> >>>>>>>> Hi all, >>>>>>>> >>>>>>>> I followed all the following steps i.e., >>>>>>>> >>>>>>>> cp /etc/alternatives/java_sdk_1.7.0/jre/lib/security/cacerts >>>>>>>> /usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts >>>>>>>> >>>>>>>> keytool -import -trustcacerts -alias openLdap -file cert.pem >>>>>>>> -keystore /usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts >>>>>>>> (where cert.pem has the the LDAPS cert) >>>>>>>
Re: Issues with usersync (LDAPS certificate not validated)
No there are no intermediate certificates. No i'm not using same trust store for performing ldapsearch. I'm using *TLS_CACERT /etc/ldap/cacert.pem* option in ldap.conf file On Mon, Oct 5, 2015 at 10:12 PM, Sailaja Polavarapu < spolavar...@hortonworks.com> wrote: > Are there any intermediate certs? If so, are they also added in the trust > store? > And just to make sure, in the ldap configuration, are you using same trust > store for performing ldapsearch? > > > From: Aneela Saleem > Reply-To: "user@ranger.incubator.apache.org" > Date: Sunday, October 4, 2015 at 10:15 AM > > To: "user@ranger.incubator.apache.org" > Subject: Re: Issues with usersync (LDAPS certificate not validated) > > Is there any issue with JAVA keystore? > > On Fri, Oct 2, 2015 at 9:59 AM, Aneela Saleem <ane...@platalytics.com> > wrote: > >> Yes following command works fine >> >> ldapsearch -x -D "cn=aneela,ou=users,dc=platalytics,dc=com" -W -H ldaps:// >> platalytics.com:636 -b "dc=platalytics,dc=com" -s sub 'cn=aneela' >> >> On Thu, Oct 1, 2015 at 7:35 PM, Don Bosco Durai <bo...@apache.org> wrote: >> >>> It is surprising that it will just stop working. Are you able to do >>> ldapsearch from command line? Just to make sure there is nothing wrong on >>> the OpenLDAP side? >>> >>> Thanks >>> >>> Bosco >>> >>> >>> From: Aneela Saleem <ane...@platalytics.com> >>> Reply-To: <user@ranger.incubator.apache.org> >>> Date: Thursday, October 1, 2015 at 11:55 PM >>> >>> To: <user@ranger.incubator.apache.org> >>> Subject: Re: Issues with usersync (LDAPS certificate not validated) >>> >>> I also checked it on another machine. Same issue is there >>> >>> On Thu, Oct 1, 2015 at 10:03 PM, Aneela Saleem <ane...@platalytics.com> >>> wrote: >>> >>>> I guess no JDK changes. And i re-checked certificate infact generated a >>>> new one. Still same issue. >>>> >>>> On Thu, Oct 1, 2015 at 6:16 PM, Dilli Dorai <dilli.do...@gmail.com> >>>> wrote: >>>> >>>>> Aneela, >>>>> Please check whether the certificate has expired. >>>>> Dilli >>>>> >>>>> On Wed, Sep 30, 2015 at 4:28 PM, Don Bosco Durai <bo...@apache.org> >>>>> wrote: >>>>> >>>>>> Any other changes you can think of? JDK changes, etcs? >>>>>> >>>>>> Thanks >>>>>> >>>>>> Bosco >>>>>> >>>>>> >>>>>> From: Aneela Saleem <ane...@platalytics.com> >>>>>> Reply-To: <user@ranger.incubator.apache.org> >>>>>> Date: Wednesday, September 30, 2015 at 9:37 PM >>>>>> To: <user@ranger.incubator.apache.org> >>>>>> Subject: Re: Issues with usersync (LDAPS certificate not validated) >>>>>> >>>>>> It was working fine one month ago. But now the same issue is occurred. >>>>>> >>>>>> On Wed, Sep 30, 2015 at 2:55 PM, Aneela Saleem < >>>>>> ane...@platalytics.com> wrote: >>>>>> >>>>>>> Hi all, >>>>>>> >>>>>>> I followed all the following steps i.e., >>>>>>> >>>>>>> cp /etc/alternatives/java_sdk_1.7.0/jre/lib/security/cacerts >>>>>>> /usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts >>>>>>> >>>>>>> keytool -import -trustcacerts -alias openLdap -file cert.pem >>>>>>> -keystore /usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts >>>>>>> (where cert.pem has the the LDAPS cert) >>>>>>> >>>>>>> Add java option >>>>>>> -Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036 >>>>>>> /ranger-usersync/userSyncCAcerts >>>>>>> To >>>>>>> /usr/hdp/2.2.0.0-2036/ranger-usersync/ranger-usersync-services.sh >>>>>>> >>>>>>> Where it invokes java command like the following >>>>>>> >>>>>>> nohup java >>>>>>> -Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts >>>>>>> . . . >>>>>>> >>>>>>> >>>>>>> But i'm unable t
Re: Issues with usersync (LDAPS certificate not validated)
Are there any intermediate certs? If so, are they also added in the trust store? And just to make sure, in the ldap configuration, are you using same trust store for performing ldapsearch? From: Aneela Saleem Reply-To: "user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>" Date: Sunday, October 4, 2015 at 10:15 AM To: "user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>" Subject: Re: Issues with usersync (LDAPS certificate not validated) Is there any issue with JAVA keystore? On Fri, Oct 2, 2015 at 9:59 AM, Aneela Saleem <ane...@platalytics.com<mailto:ane...@platalytics.com>> wrote: Yes following command works fine ldapsearch -x -D "cn=aneela,ou=users,dc=platalytics,dc=com" -W -H ldaps://platalytics.com:636<http://platalytics.com:636> -b "dc=platalytics,dc=com" -s sub 'cn=aneela' On Thu, Oct 1, 2015 at 7:35 PM, Don Bosco Durai <bo...@apache.org<mailto:bo...@apache.org>> wrote: It is surprising that it will just stop working. Are you able to do ldapsearch from command line? Just to make sure there is nothing wrong on the OpenLDAP side? Thanks Bosco From: Aneela Saleem <ane...@platalytics.com<mailto:ane...@platalytics.com>> Reply-To: <user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>> Date: Thursday, October 1, 2015 at 11:55 PM To: <user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>> Subject: Re: Issues with usersync (LDAPS certificate not validated) I also checked it on another machine. Same issue is there On Thu, Oct 1, 2015 at 10:03 PM, Aneela Saleem <ane...@platalytics.com<mailto:ane...@platalytics.com>> wrote: I guess no JDK changes. And i re-checked certificate infact generated a new one. Still same issue. On Thu, Oct 1, 2015 at 6:16 PM, Dilli Dorai <dilli.do...@gmail.com<mailto:dilli.do...@gmail.com>> wrote: Aneela, Please check whether the certificate has expired. Dilli On Wed, Sep 30, 2015 at 4:28 PM, Don Bosco Durai <bo...@apache.org<mailto:bo...@apache.org>> wrote: Any other changes you can think of? JDK changes, etcs? Thanks Bosco From: Aneela Saleem <ane...@platalytics.com<mailto:ane...@platalytics.com>> Reply-To: <user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>> Date: Wednesday, September 30, 2015 at 9:37 PM To: <user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>> Subject: Re: Issues with usersync (LDAPS certificate not validated) It was working fine one month ago. But now the same issue is occurred. On Wed, Sep 30, 2015 at 2:55 PM, Aneela Saleem <ane...@platalytics.com<mailto:ane...@platalytics.com>> wrote: Hi all, I followed all the following steps i.e., cp /etc/alternatives/java_sdk_1.7.0/jre/lib/security/cacerts /usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts keytool -import -trustcacerts -alias openLdap -file cert.pem -keystore /usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts (where cert.pem has the the LDAPS cert) Add java option -Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts To /usr/hdp/2.2.0.0-2036/ranger-usersync/ranger-usersync-services.sh Where it invokes java command like the following nohup java -Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts . . . But i'm unable to sync LDAP contacts in Ranger due to certificates validation issues. Following are the logs 30 Sep 2015 14:48:56 INFO UnixAuthenticationService [main] - Starting User Sync Service! 30 Sep 2015 14:48:56 INFO UnixAuthenticationService [main] - Enabling Unix Auth Service! 30 Sep 2015 14:48:56 INFO UserGroupSync [UnixUserSyncThread] - initializing sink: org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder 30 Sep 2015 14:48:57 WARN NativeCodeLoader [main] - Unable to load native-hadoop library for your platform... using builtin-java classes where applicable 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling Protocol: [SSLv2Hello] 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling Protocol: [TLSv1] 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling Protocol: [TLSv1.1] 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling Protocol: [TLSv1.2] 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder [UnixUserSyncThread] - LdapUserGroupBuilder created 30 Sep 2015 14:48:58 INFO UserGroupSync [UnixUserSyncThread] - initializing source: org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder 30 Sep 2015 14:48:58 INFO UserGroupSync [UnixUserSyncThread] - Begin: initial load of user/group from source==>sink 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder [UnixUserSyncThread] - LDAPUserGroupBuilder updateSink started 30 Sep 2015 14:48:58 INFO LdapUserGroupBuild
Re: Issues with usersync (LDAPS certificate not validated)
Aneela: To verify the certificate (chain), can you run the following command and send us the output of the command ? $ openssl s_client -showcerts -connect platalytics.com:636<http://platalytics.com:636> < /dev/null Thanks, Selva- From: Aneela Saleem <ane...@platalytics.com<mailto:ane...@platalytics.com>> Reply-To: "user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>" <user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>> Date: Monday, October 5, 2015 at 1:16 PM To: "user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>" <user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>> Subject: Re: Issues with usersync (LDAPS certificate not validated) No there are no intermediate certificates. No i'm not using same trust store for performing ldapsearch. I'm using TLS_CACERT /etc/ldap/cacert.pem option in ldap.conf file On Mon, Oct 5, 2015 at 10:12 PM, Sailaja Polavarapu <spolavar...@hortonworks.com<mailto:spolavar...@hortonworks.com>> wrote: Are there any intermediate certs? If so, are they also added in the trust store? And just to make sure, in the ldap configuration, are you using same trust store for performing ldapsearch? From: Aneela Saleem Reply-To: "user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>" Date: Sunday, October 4, 2015 at 10:15 AM To: "user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>" Subject: Re: Issues with usersync (LDAPS certificate not validated) Is there any issue with JAVA keystore? On Fri, Oct 2, 2015 at 9:59 AM, Aneela Saleem <ane...@platalytics.com<mailto:ane...@platalytics.com>> wrote: Yes following command works fine ldapsearch -x -D "cn=aneela,ou=users,dc=platalytics,dc=com" -W -H ldaps://platalytics.com:636<http://platalytics.com:636> -b "dc=platalytics,dc=com" -s sub 'cn=aneela' On Thu, Oct 1, 2015 at 7:35 PM, Don Bosco Durai <bo...@apache.org<mailto:bo...@apache.org>> wrote: It is surprising that it will just stop working. Are you able to do ldapsearch from command line? Just to make sure there is nothing wrong on the OpenLDAP side? Thanks Bosco From: Aneela Saleem <ane...@platalytics.com<mailto:ane...@platalytics.com>> Reply-To: <user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>> Date: Thursday, October 1, 2015 at 11:55 PM To: <user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>> Subject: Re: Issues with usersync (LDAPS certificate not validated) I also checked it on another machine. Same issue is there On Thu, Oct 1, 2015 at 10:03 PM, Aneela Saleem <ane...@platalytics.com<mailto:ane...@platalytics.com>> wrote: I guess no JDK changes. And i re-checked certificate infact generated a new one. Still same issue. On Thu, Oct 1, 2015 at 6:16 PM, Dilli Dorai <dilli.do...@gmail.com<mailto:dilli.do...@gmail.com>> wrote: Aneela, Please check whether the certificate has expired. Dilli On Wed, Sep 30, 2015 at 4:28 PM, Don Bosco Durai <bo...@apache.org<mailto:bo...@apache.org>> wrote: Any other changes you can think of? JDK changes, etcs? Thanks Bosco From: Aneela Saleem <ane...@platalytics.com<mailto:ane...@platalytics.com>> Reply-To: <user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>> Date: Wednesday, September 30, 2015 at 9:37 PM To: <user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>> Subject: Re: Issues with usersync (LDAPS certificate not validated) It was working fine one month ago. But now the same issue is occurred. On Wed, Sep 30, 2015 at 2:55 PM, Aneela Saleem <ane...@platalytics.com<mailto:ane...@platalytics.com>> wrote: Hi all, I followed all the following steps i.e., cp /etc/alternatives/java_sdk_1.7.0/jre/lib/security/cacerts /usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts keytool -import -trustcacerts -alias openLdap -file cert.pem -keystore /usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts (where cert.pem has the the LDAPS cert) Add java option -Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts To /usr/hdp/2.2.0.0-2036/ranger-usersync/ranger-usersync-services.sh Where it invokes java command like the following nohup java -Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts . . . But i'm unable to sync LDAP contacts in Ranger due to certificates validation issues. Following are the logs 30 Sep 2015 14:48:56 INFO UnixAuthenticationService [main] - Starting User Sync Service! 30 Sep 2015 14:48:56 INFO UnixAuthenticationService [main] - Enabling Unix Auth Service! 30 Sep 2015 14:48:56 INFO UserGroupSync [UnixUserSyncThread] - ini
Re: Issues with usersync (LDAPS certificate not validated)
Is there any issue with JAVA keystore? On Fri, Oct 2, 2015 at 9:59 AM, Aneela Saleem <ane...@platalytics.com> wrote: > Yes following command works fine > > ldapsearch -x -D "cn=aneela,ou=users,dc=platalytics,dc=com" -W -H ldaps:// > platalytics.com:636 -b "dc=platalytics,dc=com" -s sub 'cn=aneela' > > On Thu, Oct 1, 2015 at 7:35 PM, Don Bosco Durai <bo...@apache.org> wrote: > >> It is surprising that it will just stop working. Are you able to do >> ldapsearch from command line? Just to make sure there is nothing wrong on >> the OpenLDAP side? >> >> Thanks >> >> Bosco >> >> >> From: Aneela Saleem <ane...@platalytics.com> >> Reply-To: <user@ranger.incubator.apache.org> >> Date: Thursday, October 1, 2015 at 11:55 PM >> >> To: <user@ranger.incubator.apache.org> >> Subject: Re: Issues with usersync (LDAPS certificate not validated) >> >> I also checked it on another machine. Same issue is there >> >> On Thu, Oct 1, 2015 at 10:03 PM, Aneela Saleem <ane...@platalytics.com> >> wrote: >> >>> I guess no JDK changes. And i re-checked certificate infact generated a >>> new one. Still same issue. >>> >>> On Thu, Oct 1, 2015 at 6:16 PM, Dilli Dorai <dilli.do...@gmail.com> >>> wrote: >>> >>>> Aneela, >>>> Please check whether the certificate has expired. >>>> Dilli >>>> >>>> On Wed, Sep 30, 2015 at 4:28 PM, Don Bosco Durai <bo...@apache.org> >>>> wrote: >>>> >>>>> Any other changes you can think of? JDK changes, etcs? >>>>> >>>>> Thanks >>>>> >>>>> Bosco >>>>> >>>>> >>>>> From: Aneela Saleem <ane...@platalytics.com> >>>>> Reply-To: <user@ranger.incubator.apache.org> >>>>> Date: Wednesday, September 30, 2015 at 9:37 PM >>>>> To: <user@ranger.incubator.apache.org> >>>>> Subject: Re: Issues with usersync (LDAPS certificate not validated) >>>>> >>>>> It was working fine one month ago. But now the same issue is occurred. >>>>> >>>>> On Wed, Sep 30, 2015 at 2:55 PM, Aneela Saleem <ane...@platalytics.com >>>>> > wrote: >>>>> >>>>>> Hi all, >>>>>> >>>>>> I followed all the following steps i.e., >>>>>> >>>>>> cp /etc/alternatives/java_sdk_1.7.0/jre/lib/security/cacerts >>>>>> /usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts >>>>>> >>>>>> keytool -import -trustcacerts -alias openLdap -file cert.pem >>>>>> -keystore /usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts >>>>>> (where cert.pem has the the LDAPS cert) >>>>>> >>>>>> Add java option >>>>>> -Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036 >>>>>> /ranger-usersync/userSyncCAcerts >>>>>> To >>>>>> /usr/hdp/2.2.0.0-2036/ranger-usersync/ranger-usersync-services.sh >>>>>> >>>>>> Where it invokes java command like the following >>>>>> >>>>>> nohup java >>>>>> -Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts >>>>>> . . . >>>>>> >>>>>> >>>>>> But i'm unable to sync LDAP contacts in Ranger due to certificates >>>>>> validation issues. Following are the logs >>>>>> >>>>>> 30 Sep 2015 14:48:56 INFO UnixAuthenticationService [main] - >>>>>> Starting User Sync Service! >>>>>> 30 Sep 2015 14:48:56 INFO UnixAuthenticationService [main] - >>>>>> Enabling Unix Auth Service! >>>>>> 30 Sep 2015 14:48:56 INFO UserGroupSync [UnixUserSyncThread] - >>>>>> initializing sink: >>>>>> org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder >>>>>> 30 Sep 2015 14:48:57 WARN NativeCodeLoader [main] - Unable to load >>>>>> native-hadoop library for your platform... using builtin-java classes >>>>>> where >>>>>> applicable >>>>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - >>>>>> Enabling Protocol: [SSLv2Hello] >>>>>>
Re: Issues with usersync (LDAPS certificate not validated)
I also checked it on another machine. Same issue is there On Thu, Oct 1, 2015 at 10:03 PM, Aneela Saleem <ane...@platalytics.com> wrote: > I guess no JDK changes. And i re-checked certificate infact generated a > new one. Still same issue. > > On Thu, Oct 1, 2015 at 6:16 PM, Dilli Dorai <dilli.do...@gmail.com> wrote: > >> Aneela, >> Please check whether the certificate has expired. >> Dilli >> >> On Wed, Sep 30, 2015 at 4:28 PM, Don Bosco Durai <bo...@apache.org> >> wrote: >> >>> Any other changes you can think of? JDK changes, etcs? >>> >>> Thanks >>> >>> Bosco >>> >>> >>> From: Aneela Saleem <ane...@platalytics.com> >>> Reply-To: <user@ranger.incubator.apache.org> >>> Date: Wednesday, September 30, 2015 at 9:37 PM >>> To: <user@ranger.incubator.apache.org> >>> Subject: Re: Issues with usersync (LDAPS certificate not validated) >>> >>> It was working fine one month ago. But now the same issue is occurred. >>> >>> On Wed, Sep 30, 2015 at 2:55 PM, Aneela Saleem <ane...@platalytics.com> >>> wrote: >>> >>>> Hi all, >>>> >>>> I followed all the following steps i.e., >>>> >>>> cp /etc/alternatives/java_sdk_1.7.0/jre/lib/security/cacerts /usr/hdp/2 >>>> .2.0.0-2036/ranger-usersync/userSyncCAcerts >>>> >>>> keytool -import -trustcacerts -alias openLdap -file cert.pem -keystore >>>> /usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts >>>> (where cert.pem has the the LDAPS cert) >>>> >>>> Add java option >>>> -Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036 >>>> /ranger-usersync/userSyncCAcerts >>>> To >>>> /usr/hdp/2.2.0.0-2036/ranger-usersync/ranger-usersync-services.sh >>>> >>>> Where it invokes java command like the following >>>> >>>> nohup java >>>> -Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts >>>> . . . >>>> >>>> >>>> But i'm unable to sync LDAP contacts in Ranger due to certificates >>>> validation issues. Following are the logs >>>> >>>> 30 Sep 2015 14:48:56 INFO UnixAuthenticationService [main] - Starting >>>> User Sync Service! >>>> 30 Sep 2015 14:48:56 INFO UnixAuthenticationService [main] - Enabling >>>> Unix Auth Service! >>>> 30 Sep 2015 14:48:56 INFO UserGroupSync [UnixUserSyncThread] - >>>> initializing sink: >>>> org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder >>>> 30 Sep 2015 14:48:57 WARN NativeCodeLoader [main] - Unable to load >>>> native-hadoop library for your platform... using builtin-java classes where >>>> applicable >>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling >>>> Protocol: [SSLv2Hello] >>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling >>>> Protocol: [TLSv1] >>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling >>>> Protocol: [TLSv1.1] >>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling >>>> Protocol: [TLSv1.2] >>>> 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder [UnixUserSyncThread] - >>>> LdapUserGroupBuilder created >>>> 30 Sep 2015 14:48:58 INFO UserGroupSync [UnixUserSyncThread] - >>>> initializing source: >>>> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder >>>> 30 Sep 2015 14:48:58 INFO UserGroupSync [UnixUserSyncThread] - Begin: >>>> initial load of user/group from source==>sink >>>> 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder [UnixUserSyncThread] - >>>> LDAPUserGroupBuilder updateSink started >>>> 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder [UnixUserSyncThread] - >>>> LdapUserGroupBuilder initialization started >>>> 30 Sep 2015 14:48:58 ERROR UserGroupSync [UnixUserSyncThread] - Failed >>>> to initialize UserGroup source/sink. Will retry after 2160 >>>> milliseconds. Error details: >>>> javax.naming.CommunicationException: simple bind failed: >>>> platalytics.com:636 [Root exception is >>>> javax.net.ssl.SSLHandshakeException: >>>> sun.security.validator.ValidatorException: PKIX path building failed: >>>> sun.security.provider.certpath.SunCertPathBuilderExcept
Re: Issues with usersync (LDAPS certificate not validated)
It is surprising that it will just stop working. Are you able to do ldapsearch from command line? Just to make sure there is nothing wrong on the OpenLDAP side? Thanks Bosco From: Aneela Saleem <ane...@platalytics.com> Reply-To: <user@ranger.incubator.apache.org> Date: Thursday, October 1, 2015 at 11:55 PM To: <user@ranger.incubator.apache.org> Subject: Re: Issues with usersync (LDAPS certificate not validated) > I also checked it on another machine. Same issue is there > > On Thu, Oct 1, 2015 at 10:03 PM, Aneela Saleem <ane...@platalytics.com> wrote: >> I guess no JDK changes. And i re-checked certificate infact generated a new >> one. Still same issue. >> >> On Thu, Oct 1, 2015 at 6:16 PM, Dilli Dorai <dilli.do...@gmail.com> wrote: >>> Aneela, >>> Please check whether the certificate has expired. >>> Dilli >>> >>> On Wed, Sep 30, 2015 at 4:28 PM, Don Bosco Durai <bo...@apache.org> wrote: >>>> Any other changes you can think of? JDK changes, etcs? >>>> >>>> Thanks >>>> >>>> Bosco >>>> >>>> >>>> From: Aneela Saleem <ane...@platalytics.com> >>>> Reply-To: <user@ranger.incubator.apache.org> >>>> Date: Wednesday, September 30, 2015 at 9:37 PM >>>> To: <user@ranger.incubator.apache.org> >>>> Subject: Re: Issues with usersync (LDAPS certificate not validated) >>>> >>>>> It was working fine one month ago. But now the same issue is occurred. >>>>> >>>>> On Wed, Sep 30, 2015 at 2:55 PM, Aneela Saleem <ane...@platalytics.com> >>>>> wrote: >>>>>> Hi all, >>>>>> >>>>>> I followed all the following steps i.e., >>>>>> >>>>>> cp /etc/alternatives/java_sdk_1.7.0/jre/lib/security/cacerts >>>>>> /usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts >>>>>> >>>>>> keytool -import -trustcacerts -alias openLdap -file cert.pem -keystore >>>>>> /usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts >>>>>> (where cert.pem has the the LDAPS cert) >>>>>> >>>>>> Add java option >>>>>> -Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036/ranger-usersync/userSync >>>>>> CAcerts >>>>>> To >>>>>> /usr/hdp/2.2.0.0-2036/ranger-usersync/ranger-usersync-services.sh >>>>>> >>>>>> Where it invokes java command like the following >>>>>> >>>>>> nohup java >>>>>> -Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036/ranger-usersync/userSync >>>>>> CAcerts . . . >>>>>> >>>>>> >>>>>> But i'm unable to sync LDAP contacts in Ranger due to certificates >>>>>> validation issues. Following are the logs >>>>>> >>>>>> 30 Sep 2015 14:48:56 INFO UnixAuthenticationService [main] - Starting >>>>>> User Sync Service! >>>>>> 30 Sep 2015 14:48:56 INFO UnixAuthenticationService [main] - Enabling >>>>>> Unix Auth Service! >>>>>> 30 Sep 2015 14:48:56 INFO UserGroupSync [UnixUserSyncThread] - >>>>>> initializing sink: >>>>>> org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder >>>>>> 30 Sep 2015 14:48:57 WARN NativeCodeLoader [main] - Unable to load >>>>>> native-hadoop library for your platform... using builtin-java classes >>>>>> where applicable >>>>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling >>>>>> Protocol: [SSLv2Hello] >>>>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling >>>>>> Protocol: [TLSv1] >>>>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling >>>>>> Protocol: [TLSv1.1] >>>>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling >>>>>> Protocol: [TLSv1.2] >>>>>> 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder [UnixUserSyncThread] - >>>>>> LdapUserGroupBuilder created >>>>>> 30 Sep 2015 14:48:58 INFO UserGroupSync [UnixUserSyncThread] - >>>>>> initializing source: >>>>>> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder >>>>>> 30 Sep 2015
Re: Issues with usersync (LDAPS certificate not validated)
Yes following command works fine ldapsearch -x -D "cn=aneela,ou=users,dc=platalytics,dc=com" -W -H ldaps:// platalytics.com:636 -b "dc=platalytics,dc=com" -s sub 'cn=aneela' On Thu, Oct 1, 2015 at 7:35 PM, Don Bosco Durai <bo...@apache.org> wrote: > It is surprising that it will just stop working. Are you able to do > ldapsearch from command line? Just to make sure there is nothing wrong on > the OpenLDAP side? > > Thanks > > Bosco > > > From: Aneela Saleem <ane...@platalytics.com> > Reply-To: <user@ranger.incubator.apache.org> > Date: Thursday, October 1, 2015 at 11:55 PM > > To: <user@ranger.incubator.apache.org> > Subject: Re: Issues with usersync (LDAPS certificate not validated) > > I also checked it on another machine. Same issue is there > > On Thu, Oct 1, 2015 at 10:03 PM, Aneela Saleem <ane...@platalytics.com> > wrote: > >> I guess no JDK changes. And i re-checked certificate infact generated a >> new one. Still same issue. >> >> On Thu, Oct 1, 2015 at 6:16 PM, Dilli Dorai <dilli.do...@gmail.com> >> wrote: >> >>> Aneela, >>> Please check whether the certificate has expired. >>> Dilli >>> >>> On Wed, Sep 30, 2015 at 4:28 PM, Don Bosco Durai <bo...@apache.org> >>> wrote: >>> >>>> Any other changes you can think of? JDK changes, etcs? >>>> >>>> Thanks >>>> >>>> Bosco >>>> >>>> >>>> From: Aneela Saleem <ane...@platalytics.com> >>>> Reply-To: <user@ranger.incubator.apache.org> >>>> Date: Wednesday, September 30, 2015 at 9:37 PM >>>> To: <user@ranger.incubator.apache.org> >>>> Subject: Re: Issues with usersync (LDAPS certificate not validated) >>>> >>>> It was working fine one month ago. But now the same issue is occurred. >>>> >>>> On Wed, Sep 30, 2015 at 2:55 PM, Aneela Saleem <ane...@platalytics.com> >>>> wrote: >>>> >>>>> Hi all, >>>>> >>>>> I followed all the following steps i.e., >>>>> >>>>> cp /etc/alternatives/java_sdk_1.7.0/jre/lib/security/cacerts >>>>> /usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts >>>>> >>>>> keytool -import -trustcacerts -alias openLdap -file cert.pem >>>>> -keystore /usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts >>>>> (where cert.pem has the the LDAPS cert) >>>>> >>>>> Add java option >>>>> -Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036 >>>>> /ranger-usersync/userSyncCAcerts >>>>> To >>>>> /usr/hdp/2.2.0.0-2036/ranger-usersync/ranger-usersync-services.sh >>>>> >>>>> Where it invokes java command like the following >>>>> >>>>> nohup java >>>>> -Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts >>>>> . . . >>>>> >>>>> >>>>> But i'm unable to sync LDAP contacts in Ranger due to certificates >>>>> validation issues. Following are the logs >>>>> >>>>> 30 Sep 2015 14:48:56 INFO UnixAuthenticationService [main] - Starting >>>>> User Sync Service! >>>>> 30 Sep 2015 14:48:56 INFO UnixAuthenticationService [main] - Enabling >>>>> Unix Auth Service! >>>>> 30 Sep 2015 14:48:56 INFO UserGroupSync [UnixUserSyncThread] - >>>>> initializing sink: >>>>> org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder >>>>> 30 Sep 2015 14:48:57 WARN NativeCodeLoader [main] - Unable to load >>>>> native-hadoop library for your platform... using builtin-java classes >>>>> where >>>>> applicable >>>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling >>>>> Protocol: [SSLv2Hello] >>>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling >>>>> Protocol: [TLSv1] >>>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling >>>>> Protocol: [TLSv1.1] >>>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling >>>>> Protocol: [TLSv1.2] >>>>> 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder [UnixUserSyncThread] - >>>>> LdapUserGroupBuilder created >>>>> 30 Sep 201
Re: Issues with usersync (LDAPS certificate not validated)
Any other changes you can think of? JDK changes, etcs? Thanks Bosco From: Aneela Saleem <ane...@platalytics.com> Reply-To: <user@ranger.incubator.apache.org> Date: Wednesday, September 30, 2015 at 9:37 PM To: <user@ranger.incubator.apache.org> Subject: Re: Issues with usersync (LDAPS certificate not validated) > It was working fine one month ago. But now the same issue is occurred. > > On Wed, Sep 30, 2015 at 2:55 PM, Aneela Saleem <ane...@platalytics.com> wrote: >> Hi all, >> >> I followed all the following steps i.e., >> >> cp /etc/alternatives/java_sdk_1.7.0/jre/lib/security/cacerts >> /usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts >> >> keytool -import -trustcacerts -alias openLdap -file cert.pem -keystore >> /usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts >> (where cert.pem has the the LDAPS cert) >> >> Add java option >> -Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAce >> rts >> To >> /usr/hdp/2.2.0.0-2036/ranger-usersync/ranger-usersync-services.sh >> >> Where it invokes java command like the following >> >> nohup java >> -Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAce >> rts . . . >> >> >> But i'm unable to sync LDAP contacts in Ranger due to certificates validation >> issues. Following are the logs >> >> 30 Sep 2015 14:48:56 INFO UnixAuthenticationService [main] - Starting User >> Sync Service! >> 30 Sep 2015 14:48:56 INFO UnixAuthenticationService [main] - Enabling Unix >> Auth Service! >> 30 Sep 2015 14:48:56 INFO UserGroupSync [UnixUserSyncThread] - initializing >> sink: org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder >> 30 Sep 2015 14:48:57 WARN NativeCodeLoader [main] - Unable to load >> native-hadoop library for your platform... using builtin-java classes where >> applicable >> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling >> Protocol: [SSLv2Hello] >> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling >> Protocol: [TLSv1] >> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling >> Protocol: [TLSv1.1] >> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling >> Protocol: [TLSv1.2] >> 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder [UnixUserSyncThread] - >> LdapUserGroupBuilder created >> 30 Sep 2015 14:48:58 INFO UserGroupSync [UnixUserSyncThread] - initializing >> source: org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder >> 30 Sep 2015 14:48:58 INFO UserGroupSync [UnixUserSyncThread] - Begin: >> initial load of user/group from source==>sink >> 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder [UnixUserSyncThread] - >> LDAPUserGroupBuilder updateSink started >> 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder [UnixUserSyncThread] - >> LdapUserGroupBuilder initialization started >> 30 Sep 2015 14:48:58 ERROR UserGroupSync [UnixUserSyncThread] - Failed to >> initialize UserGroup source/sink. Will retry after 2160 milliseconds. >> Error details: >> javax.naming.CommunicationException: simple bind failed: platalytics.com:636 >> <http://platalytics.com:636> [Root exception is >> javax.net.ssl.SSLHandshakeException: >> sun.security.validator.ValidatorException: PKIX path building failed: >> sun.security.provider.certpath.SunCertPathBuilderException: unable to find >> valid certification path to requested target] >> at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:218) >> at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2740) >> at com.sun.jndi.ldap.LdapCtx.(LdapCtx.java:316) >> at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193) >> at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211) >> at >> com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154) >> at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84) >> at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) >> at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307) >> at javax.naming.InitialContext.init(InitialContext.java:242) >> at javax.naming.ldap.InitialLdapContext.(InitialLdapContext.java:153) >> at >> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.createLdapContext >> (LdapUserGroupBuilder.java:149) >> at >> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.updateSink(LdapUs >> erGroupBuilder.java:261) >> at org.apache.ranger.usergro
Re: Issues with usersync (LDAPS certificate not validated)
It was working fine one month ago. But now the same issue is occurred. On Wed, Sep 30, 2015 at 2:55 PM, Aneela Saleemwrote: > Hi all, > > I followed all the following steps i.e., > > cp /etc/alternatives/java_sdk_1.7.0/jre/lib/security/cacerts /usr/hdp/2 > .2.0.0-2036/ranger-usersync/userSyncCAcerts > > keytool -import -trustcacerts -alias openLdap -file cert.pem -keystore > /usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts > (where cert.pem has the the LDAPS cert) > > Add java option > -Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036 > /ranger-usersync/userSyncCAcerts > To > /usr/hdp/2.2.0.0-2036/ranger-usersync/ranger-usersync-services.sh > > Where it invokes java command like the following > > nohup java > -Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts > . . . > > > But i'm unable to sync LDAP contacts in Ranger due to certificates > validation issues. Following are the logs > > 30 Sep 2015 14:48:56 INFO UnixAuthenticationService [main] - Starting > User Sync Service! > 30 Sep 2015 14:48:56 INFO UnixAuthenticationService [main] - Enabling > Unix Auth Service! > 30 Sep 2015 14:48:56 INFO UserGroupSync [UnixUserSyncThread] - > initializing sink: > org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder > 30 Sep 2015 14:48:57 WARN NativeCodeLoader [main] - Unable to load > native-hadoop library for your platform... using builtin-java classes where > applicable > 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling > Protocol: [SSLv2Hello] > 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling > Protocol: [TLSv1] > 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling > Protocol: [TLSv1.1] > 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling > Protocol: [TLSv1.2] > 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder [UnixUserSyncThread] - > LdapUserGroupBuilder created > 30 Sep 2015 14:48:58 INFO UserGroupSync [UnixUserSyncThread] - > initializing source: > org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder > 30 Sep 2015 14:48:58 INFO UserGroupSync [UnixUserSyncThread] - Begin: > initial load of user/group from source==>sink > 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder [UnixUserSyncThread] - > LDAPUserGroupBuilder updateSink started > 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder [UnixUserSyncThread] - > LdapUserGroupBuilder initialization started > 30 Sep 2015 14:48:58 ERROR UserGroupSync [UnixUserSyncThread] - Failed to > initialize UserGroup source/sink. Will retry after 2160 milliseconds. > Error details: > javax.naming.CommunicationException: simple bind failed: > platalytics.com:636 [Root exception is > javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to find > valid certification path to requested target] > at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:218) > at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2740) > at com.sun.jndi.ldap.LdapCtx.(LdapCtx.java:316) > at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193) > at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211) > at > com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154) > at > com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84) > at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) > at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307) > at javax.naming.InitialContext.init(InitialContext.java:242) > at javax.naming.ldap.InitialLdapContext.(InitialLdapContext.java:153) > at > org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.createLdapContext(LdapUserGroupBuilder.java:149) > at > org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.updateSink(LdapUserGroupBuilder.java:261) > at org.apache.ranger.usergroupsync.UserGroupSync.run(UserGroupSync.java:58) > at java.lang.Thread.run(Thread.java:745) > Caused by: javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to find > valid certification path to requested target > at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) > at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1904) > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:279) > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:273) > at > sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1446) > at > sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:209) > at sun.security.ssl.Handshaker.processLoop(Handshaker.java:913) > at sun.security.ssl.Handshaker.process_record(Handshaker.java:849) > at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1023) > at >