I see the same behavior and here's the reason.
LdapAuthenticationProviderImpl - that the one responsible for LDAP
authentication in Hive. Look at this class. It has snippet (CDH 4.2.1, hive
0.10):
// setup the security principal
String bindDN;
if (baseDN != null) {
bindDN = "uid=" + user + "," + baseDN;
} else {
bindDN = user;
}
And according to Cloudera documentation, you're supposed to set baseDN
param for OpenLDAP, but not for AD. So when this baseDN isn't present, Hive
takes username as it is (say user1) and tries to bind to the ldap server,
which works.
When you set this baseDN, it constructs the bind string as
uid=user1,dc=wizetest,dc=com. But most likely, your open ldap expects it to
be rather cn=user1,dc=wizetest,dc=com, uid attribute isn't being used.
I think the way to go is to provide you own LDAP authenticator, which has
more control on how to generate LDAP bind string.
Mikhail
2013/8/23 Sanjay Subramanian <sanjay.subraman...@wizecommerce.com>
> Hi guys
>
> I tested hiveserver2 with Active directory - It works
> With Open LDAP it does not
>
> Is there any specific syntax for specifying the LDAP url or baseDN ?
>
> <property>
> <name>hive.server2.authentication.ldap.url</name>
> <value>ldap://myserver.corp.nextag.com:389</value>
> </property>
> <property>
> <name>hive.server2.authentication.ldap.baseDN</name>
> <value>dc=wizetest,dc=com</value>
> </property>
>
> Beeline keeps giving error
>
> jdbc:hive2://dev-thdp5:10000> !connect jdbc:hive2://dev-thdp5:10000
> hiveuser1 ******** org.apache.hive.jdbc.HiveDriver
> Connecting to jdbc:hive2://dev-thdp5:10000
> Error: Could not establish connection to jdbc:hive2://dev-thdp5:10000:
> Peer indicated failure: Error validating the login (state=08S01,code=0)
>
> Any clues ?
>
> Thanks
>
> sanjay
>
> CONFIDENTIALITY NOTICE
> ======================
> This email message and any attachments are for the exclusive use of the
> intended recipient(s) and may contain confidential and privileged
> information. Any unauthorized review, use, disclosure or distribution is
> prohibited. If you are not the intended recipient, please contact the
> sender by reply email and destroy all copies of the original message along
> with any attachments, from your computer system. If you are the intended
> recipient, please be advised that the content of this message is subject to
> access, review and disclosure by the sender's Email System Administrator.
>
--
Thanks,
Michael Antonov
