Aneela, are you able to connect to LDAPS using ldapsearch? If you do, how did you configure the certificate? We need to do similar thing for user sync also.
Thanks Bosco From: Aneela Saleem <[email protected]> Reply-To: "[email protected]" <[email protected]> Date: Tuesday, August 25, 2015 at 1:21 PM To: "[email protected]" <[email protected]> Subject: Re: UserSync with ldaps (LDAP over SSL) > The issue is still unresolved. Can someone please guide me. I can't make any > progress. > > On Tue, Aug 25, 2015 at 9:21 PM, Aneela Saleem <[email protected]> wrote: >> Hi Alok! >> >> Can you please see the above issue? And tell me ASAP because i'm stuck at >> this point >> >> On Tue, Aug 25, 2015 at 12:05 AM, Aneela Saleem <[email protected]> >> wrote: >>> I wrote nohup java >>> -Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAc >>> erts in /usr/local/ranger-usersync/ranger-usersync-services.sh file. I'm >>> still getting errors, following are the logs: >>> >>> 25 Aug 2015 00:01:52 INFO UnixAuthenticationService [main] - Starting User >>> Sync Service! >>> 25 Aug 2015 00:01:52 INFO UnixAuthenticationService [main] - Enabling Unix >>> Auth Service! >>> 25 Aug 2015 00:01:52 INFO UserGroupSync [UnixUserSyncThread] - initializing >>> sink: org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder >>> 25 Aug 2015 00:01:52 WARN NativeCodeLoader [main] - Unable to load >>> native-hadoop library for your platform... using builtin-java classes where >>> applicable >>> 25 Aug 2015 00:01:53 INFO UnixAuthenticationService [main] - Enabling >>> Protocol: [SSLv2Hello] >>> 25 Aug 2015 00:01:53 INFO UnixAuthenticationService [main] - Enabling >>> Protocol: [TLSv1] >>> 25 Aug 2015 00:01:53 INFO UnixAuthenticationService [main] - Enabling >>> Protocol: [TLSv1.1] >>> 25 Aug 2015 00:01:53 INFO UnixAuthenticationService [main] - Enabling >>> Protocol: [TLSv1.2] >>> 25 Aug 2015 00:01:53 INFO LdapUserGroupBuilder [UnixUserSyncThread] - >>> LdapUserGroupBuilder created >>> 25 Aug 2015 00:01:53 INFO UserGroupSync [UnixUserSyncThread] - initializing >>> source: org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder >>> 25 Aug 2015 00:01:53 INFO UserGroupSync [UnixUserSyncThread] - Begin: >>> initial load of user/group from source==>sink >>> 25 Aug 2015 00:01:53 INFO LdapUserGroupBuilder [UnixUserSyncThread] - >>> LDAPUserGroupBuilder updateSink started >>> 25 Aug 2015 00:01:53 INFO LdapUserGroupBuilder [UnixUserSyncThread] - >>> LdapUserGroupBuilder initialization started >>> 25 Aug 2015 00:01:53 ERROR UserGroupSync [UnixUserSyncThread] - Failed to >>> initialize UserGroup source/sink. Will retry after 21600000 milliseconds. >>> Error details: >>> javax.naming.CommunicationException: simple bind failed: 127.0.0.1:636 >>> <http://127.0.0.1:636> [Root exception is >>> javax.net.ssl.SSLHandshakeException: >>> sun.security.validator.ValidatorException: PKIX path building failed: >>> sun.security.provider.certpath.SunCertPathBuilderException: unable to find >>> valid certification path to requested target] >>> at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:218) >>> at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2740) >>> at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316) >>> at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193) >>> at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211) >>> at >>> com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154) >>> at >>> com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84) >>> at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) >>> at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307) >>> at javax.naming.InitialContext.init(InitialContext.java:242) >>> at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:153) >>> at >>> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.createLdapContex >>> t(LdapUserGroupBuilder.java:149) >>> at >>> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.updateSink(LdapU >>> serGroupBuilder.java:261) >>> at org.apache.ranger.usergroupsync.UserGroupSync.run(UserGroupSync.java:58) >>> at java.lang.Thread.run(Thread.java:745) >>> Caused by: javax.net.ssl.SSLHandshakeException: >>> sun.security.validator.ValidatorException: PKIX path building failed: >>> sun.security.provider.certpath.SunCertPathBuilderException: unable to find >>> valid certification path to requested target >>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) >>> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1904) >>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:279) >>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:273) >>> at >>> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:14 >>> 46) >>> at >>> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:209) >>> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:913) >>> at sun.security.ssl.Handshaker.process_record(Handshaker.java:849) >>> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1023) >>> at >>> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:13 >>> 32) >>> at sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:889) >>> at sun.security.ssl.AppInputStream.read(AppInputStream.java:102) >>> at java.io.BufferedInputStream.fill(BufferedInputStream.java:235) >>> at java.io.BufferedInputStream.read1(BufferedInputStream.java:275) >>> at java.io.BufferedInputStream.read(BufferedInputStream.java:334) >>> at com.sun.jndi.ldap.Connection.run(Connection.java:855) >>> ... 1 more >>> Caused by: sun.security.validator.ValidatorException: PKIX path building >>> failed: sun.security.provider.certpath.SunCertPathBuilderException: unable >>> to find valid certification path to requested target >>> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385) >>> at >>> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) >>> at sun.security.validator.Validator.validate(Validator.java:260) >>> at >>> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326>>> ) >>> at >>> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java >>> :231) >>> at >>> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImp >>> l.java:126) >>> at >>> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:14 >>> 28) >>> ... 12 more >>> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: >>> unable to find valid certification path to requested target >>> at >>> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBui >>> lder.java:196) >>> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268) >>> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380) >>> ... 18 more >>> root@aneela-Lenovo-G50-70:/var/log/ranger/usersync# tail -f usersync.log >>> at >>> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326>>> ) >>> at >>> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java >>> :231) >>> at >>> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImp >>> l.java:126) >>> at >>> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:14 >>> 28) >>> ... 12 more >>> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: >>> unable to find valid certification path to requested target >>> at >>> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBui >>> lder.java:196) >>> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268) >>> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380) >>> ... 18 more >>> >>> >>> On Mon, Aug 24, 2015 at 10:26 PM, Alok Lal <[email protected]> wrote: >>>> I have the following snippet from an answer that Dilli Arumugam had >>>> provided to someone else in the past on a different forum for this problem. >>>> You could give that a try. He has not only explained the main issue but >>>> also offered a recipe to solve it. >>>> >>>>> If the certificate of AD (used for ldaps) is issued by well known CA (that >>>>> is trusted by out of box JDK trust store), LDAPS with AD should work >>>>> seamlessly. If the certificate is self signed, you have to import the >>>>> LDAPS certificate into a local trust store and point JDK to use that >>>>> truststore. >>>>> >>>>> For example: >>>>> >>>>> cp /etc/alternatives/java_sdk_1.7.0/jre/lib/security/cacerts >>>>> /usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts >>>>> >>>>> keytool -import -trustcacerts -alias openLdap -file cert.pem -keystore >>>>> /usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts >>>>> (where cert.pem has the the LDAPS cert) >>>>> >>>>> Add java option >>>>> -Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncC >>>>> Acerts >>>>> To >>>>> /usr/hdp/2.2.0.0-2036/ranger-usersync/ranger-usersync-services.sh >>>>> >>>>> Where it invokes java command like the following >>>>> >>>>> nohup java >>>>> -Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncC >>>>> Acerts . . . >>>>> >>>> >>>> From: Aneela Saleem >>>> Reply-To: "[email protected]" >>>> Date: Monday, August 24, 2015 at 3:04 AM >>>> To: "[email protected]" >>>> Subject: UserSync with ldaps (LDAP over SSL) >>>> >>>> Hi all, >>>> >>>> I have changed the ldap url from ldap:/// to ldaps:/// in Ranger-UserSync >>>> install.properties file but it fails to sync LDAP users. And following are >>>> the logs from usersync plugin and attached is the install.properties file. >>>> Can you please have a look and pin point where should i write the >>>> certificate path? >>>> >>>> javax.naming.CommunicationException: simple bind failed: 127.0.0.1:636 >>>> <http://127.0.0.1:636> [Root exception is >>>> javax.net.ssl.SSLHandshakeException: >>>> sun.security.validator.ValidatorException: PKIX path building failed: >>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to find >>>> valid certification path to requested target] >>>> at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:218) >>>> at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2740) >>>> at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316) >>>> at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193) >>>> at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211) >>>> at >>>> com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154>>>> ) >>>> at >>>> com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84) >>>> at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) >>>> at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307) >>>> at javax.naming.InitialContext.init(InitialContext.java:242) >>>> at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:153) >>>> at >>>> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.createLdapConte >>>> xt(LdapUserGroupBuilder.java:149) >>>> at >>>> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.updateSink(Ldap >>>> UserGroupBuilder.java:261) >>>> at org.apache.ranger.usergroupsync.UserGroupSync.run(UserGroupSync.java:58) >>>> at java.lang.Thread.run(Thread.java:745) >>>> Caused by: javax.net.ssl.SSLHandshakeException: >>>> sun.security.validator.ValidatorException: PKIX path building failed: >>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to find >>>> valid certification path to requested target >>>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) >>>> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1904) >>>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:279) >>>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:273) >>>> at >>>> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1 >>>> 446) >>>> at >>>> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:209) >>>> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:913) >>>> at sun.security.ssl.Handshaker.process_record(Handshaker.java:849) >>>> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1023) >>>> at >>>> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1 >>>> 332) >>>> at sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:889) >>>> at sun.security.ssl.AppInputStream.read(AppInputStream.java:102) >>>> at java.io.BufferedInputStream.fill(BufferedInputStream.java:235) >>>> at java.io.BufferedInputStream.read1(BufferedInputStream.java:275) >>>> at java.io.BufferedInputStream.read(BufferedInputStream.java:334) >>>> at com.sun.jndi.ldap.Connection.run(Connection.java:855) >>>> ... 1 more >>>> Caused by: sun.security.validator.ValidatorException: PKIX path building >>>> failed: sun.security.provider.certpath.SunCertPathBuilderException: unable >>>> to find valid certification path to requested target >>>> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385) >>>> at >>>> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) >>>> at sun.security.validator.Validator.validate(Validator.java:260) >>>> at >>>> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:32 >>>> 6) >>>> at >>>> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.jav >>>> a:231) >>>> at >>>> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerIm >>>> pl.java:126) >>>> at >>>> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1 >>>> 428) >>>> ... 12 more >>>> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: >>>> unable to find valid certification path to requested target >>>> at >>>> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBu >>>> ilder.java:196) >>>> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268) >>>> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380) >>>> ... 18 more >>>> root@aneela-Lenovo-G50-70:/var/log/ranger/usersync# tail -f usersync.log >>>> at >>>> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:32 >>>> 6) >>>> at >>>> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.jav >>>> a:231) >>>> at >>>> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerIm >>>> pl.java:126) >>>> at >>>> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1 >>>> 428) >>>> ... 12 more >>>> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: >>>> unable to find valid certification path to requested target >>>> at >>>> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBu >>>> ilder.java:196) >>>> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268) >>>> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380) >>>> ... 18 more >>>> >>> >> >
