Hi Bosco, The problem is resolved.
I followed this link <http://www.openldap.org/faq/data/cache/185.html> to generate Certificates. There were two certificates i.e., cacertificate.pem and servercrt.pem. And also there was a server key i.e, serverkey.pem. ( I provided CN in certificates similar to hostname of LDAP server i.e., platalytics.com , whereas my machine hostname was aneela-Lenovo-G50-70, I have some confusions between these two hostnames) Then i followed the above method provided by Alok. And set the following configuration parameters in core-site.xml file i.e., <property> <name>hadoop.security.group.mapping.ldap.ssl</name> <value>true</value> </property> <property> <name>hadoop.security.group.mapping.ldap.ssl.keystore</name> <value>/usr/local/ranger-usersync/userSyncCAcerts</value> </property> <property> <name>hadoop.security.group.mapping.ldap.ssl.keystore.password.file</name> <value>/etc/ldap/passfile</value> </property> But still i have some confusions in generating certificates, whether to provide machine hostname or LDAP server hostname as CN. On Sun, Aug 30, 2015 at 6:30 AM, Don Bosco Durai <[email protected]> wrote: > Aneela, are you able to connect to LDAPS using ldapsearch? If you do, how > did you configure the certificate? We need to do similar thing for user > sync also. > > Thanks > > Bosco > > > From: Aneela Saleem <[email protected]> > Reply-To: "[email protected]" < > [email protected]> > Date: Tuesday, August 25, 2015 at 1:21 PM > To: "[email protected]" <[email protected]> > Subject: Re: UserSync with ldaps (LDAP over SSL) > > The issue is still unresolved. Can someone please guide me. I can't make > any progress. > > On Tue, Aug 25, 2015 at 9:21 PM, Aneela Saleem <[email protected]> > wrote: > >> Hi Alok! >> >> Can you please see the above issue? And tell me ASAP because i'm stuck at >> this point >> >> On Tue, Aug 25, 2015 at 12:05 AM, Aneela Saleem <[email protected]> >> wrote: >> >>> I wrote nohup java >>> -Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts >>> in /usr/local/ranger-usersync/ranger-usersync-services.sh file. I'm >>> still getting errors, following are the logs: >>> >>> 25 Aug 2015 00:01:52 INFO UnixAuthenticationService [main] - Starting >>> User Sync Service! >>> 25 Aug 2015 00:01:52 INFO UnixAuthenticationService [main] - Enabling >>> Unix Auth Service! >>> 25 Aug 2015 00:01:52 INFO UserGroupSync [UnixUserSyncThread] - >>> initializing sink: >>> org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder >>> 25 Aug 2015 00:01:52 WARN NativeCodeLoader [main] - Unable to load >>> native-hadoop library for your platform... using builtin-java classes where >>> applicable >>> 25 Aug 2015 00:01:53 INFO UnixAuthenticationService [main] - Enabling >>> Protocol: [SSLv2Hello] >>> 25 Aug 2015 00:01:53 INFO UnixAuthenticationService [main] - Enabling >>> Protocol: [TLSv1] >>> 25 Aug 2015 00:01:53 INFO UnixAuthenticationService [main] - Enabling >>> Protocol: [TLSv1.1] >>> 25 Aug 2015 00:01:53 INFO UnixAuthenticationService [main] - Enabling >>> Protocol: [TLSv1.2] >>> 25 Aug 2015 00:01:53 INFO LdapUserGroupBuilder [UnixUserSyncThread] - >>> LdapUserGroupBuilder created >>> 25 Aug 2015 00:01:53 INFO UserGroupSync [UnixUserSyncThread] - >>> initializing source: >>> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder >>> 25 Aug 2015 00:01:53 INFO UserGroupSync [UnixUserSyncThread] - Begin: >>> initial load of user/group from source==>sink >>> 25 Aug 2015 00:01:53 INFO LdapUserGroupBuilder [UnixUserSyncThread] - >>> LDAPUserGroupBuilder updateSink started >>> 25 Aug 2015 00:01:53 INFO LdapUserGroupBuilder [UnixUserSyncThread] - >>> LdapUserGroupBuilder initialization started >>> 25 Aug 2015 00:01:53 ERROR UserGroupSync [UnixUserSyncThread] - Failed >>> to initialize UserGroup source/sink. Will retry after 21600000 >>> milliseconds. Error details: >>> javax.naming.CommunicationException: simple bind failed: 127.0.0.1:636 >>> [Root exception is javax.net.ssl.SSLHandshakeException: >>> sun.security.validator.ValidatorException: PKIX path building failed: >>> sun.security.provider.certpath.SunCertPathBuilderException: unable to find >>> valid certification path to requested target] >>> at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:218) >>> at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2740) >>> at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316) >>> at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193) >>> at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211) >>> at >>> com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154) >>> at >>> com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84) >>> at >>> javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) >>> at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307) >>> at javax.naming.InitialContext.init(InitialContext.java:242) >>> at >>> javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:153) >>> at >>> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.createLdapContext(LdapUserGroupBuilder.java:149) >>> at >>> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.updateSink(LdapUserGroupBuilder.java:261) >>> at >>> org.apache.ranger.usergroupsync.UserGroupSync.run(UserGroupSync.java:58) >>> at java.lang.Thread.run(Thread.java:745) >>> Caused by: javax.net.ssl.SSLHandshakeException: >>> sun.security.validator.ValidatorException: PKIX path building failed: >>> sun.security.provider.certpath.SunCertPathBuilderException: unable to find >>> valid certification path to requested target >>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) >>> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1904) >>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:279) >>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:273) >>> at >>> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1446) >>> at >>> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:209) >>> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:913) >>> at sun.security.ssl.Handshaker.process_record(Handshaker.java:849) >>> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1023) >>> at >>> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1332) >>> at sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:889) >>> at sun.security.ssl.AppInputStream.read(AppInputStream.java:102) >>> at java.io.BufferedInputStream.fill(BufferedInputStream.java:235) >>> at java.io.BufferedInputStream.read1(BufferedInputStream.java:275) >>> at java.io.BufferedInputStream.read(BufferedInputStream.java:334) >>> at com.sun.jndi.ldap.Connection.run(Connection.java:855) >>> ... 1 more >>> Caused by: sun.security.validator.ValidatorException: PKIX path building >>> failed: sun.security.provider.certpath.SunCertPathBuilderException: unable >>> to find valid certification path to requested target >>> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385) >>> at >>> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) >>> at sun.security.validator.Validator.validate(Validator.java:260) >>> at >>> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326) >>> at >>> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231) >>> at >>> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126) >>> at >>> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1428) >>> ... 12 more >>> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: >>> unable to find valid certification path to requested target >>> at >>> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196) >>> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268) >>> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380) >>> ... 18 more >>> root@aneela-Lenovo-G50-70:/var/log/ranger/usersync# tail -f usersync.log >>> at >>> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326) >>> at >>> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231) >>> at >>> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126) >>> at >>> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1428) >>> ... 12 more >>> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: >>> unable to find valid certification path to requested target >>> at >>> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196) >>> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268) >>> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380) >>> ... 18 more >>> >>> >>> On Mon, Aug 24, 2015 at 10:26 PM, Alok Lal <[email protected]> wrote: >>> >>>> I have the following snippet from an answer that Dilli Arumugam had >>>> provided to someone else in the past on a different forum for this >>>> problem. You could give that a try. He has not only explained the main >>>> issue but also offered a recipe to solve it. >>>> >>>> If the certificate of AD (used for ldaps) is issued by well known CA >>>> (that is trusted by out of box JDK trust store), LDAPS with AD should work >>>> seamlessly. If the certificate is self signed, you have to import the >>>> LDAPS certificate into a local trust store and point JDK to use that >>>> truststore. >>>> >>>> For example: >>>> >>>> cp /etc/alternatives/java_sdk_1.7.0/jre/lib/security/cacerts /usr/hdp/2 >>>> .2.0.0-2036/ranger-usersync/userSyncCAcerts >>>> >>>> keytool -import -trustcacerts -alias openLdap -file cert.pem -keystore >>>> /usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts >>>> (where cert.pem has the the LDAPS cert) >>>> >>>> Add java option >>>> -Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036 >>>> /ranger-usersync/userSyncCAcerts >>>> To >>>> /usr/hdp/2.2.0.0-2036/ranger-usersync/ranger-usersync-services.sh >>>> >>>> Where it invokes java command like the following >>>> >>>> nohup java >>>> -Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts >>>> . . . >>>> >>>> >>>> >>>> From: Aneela Saleem >>>> Reply-To: "[email protected]" >>>> Date: Monday, August 24, 2015 at 3:04 AM >>>> To: "[email protected]" >>>> Subject: UserSync with ldaps (LDAP over SSL) >>>> >>>> Hi all, >>>> >>>> I have changed the ldap url from ldap:/// to ldaps:/// in >>>> Ranger-UserSync install.properties file but it fails to sync LDAP users. >>>> And following are the logs from usersync plugin and attached is the >>>> install.properties file. Can you please have a look and pin point where >>>> should i write the certificate path? >>>> >>>> javax.naming.CommunicationException: simple bind failed: 127.0.0.1:636 >>>> [Root exception is javax.net.ssl.SSLHandshakeException: >>>> sun.security.validator.ValidatorException: PKIX path building failed: >>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to find >>>> valid certification path to requested target] >>>> at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:218) >>>> at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2740) >>>> at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316) >>>> at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193) >>>> at >>>> com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211) >>>> at >>>> com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154) >>>> at >>>> com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84) >>>> at >>>> javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) >>>> at >>>> javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307) >>>> at javax.naming.InitialContext.init(InitialContext.java:242) >>>> at >>>> javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:153) >>>> at >>>> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.createLdapContext(LdapUserGroupBuilder.java:149) >>>> at >>>> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.updateSink(LdapUserGroupBuilder.java:261) >>>> at >>>> org.apache.ranger.usergroupsync.UserGroupSync.run(UserGroupSync.java:58) >>>> at java.lang.Thread.run(Thread.java:745) >>>> Caused by: javax.net.ssl.SSLHandshakeException: >>>> sun.security.validator.ValidatorException: PKIX path building failed: >>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to find >>>> valid certification path to requested target >>>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) >>>> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1904) >>>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:279) >>>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:273) >>>> at >>>> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1446) >>>> at >>>> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:209) >>>> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:913) >>>> at sun.security.ssl.Handshaker.process_record(Handshaker.java:849) >>>> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1023) >>>> at >>>> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1332) >>>> at sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:889) >>>> at sun.security.ssl.AppInputStream.read(AppInputStream.java:102) >>>> at java.io.BufferedInputStream.fill(BufferedInputStream.java:235) >>>> at java.io.BufferedInputStream.read1(BufferedInputStream.java:275) >>>> at java.io.BufferedInputStream.read(BufferedInputStream.java:334) >>>> at com.sun.jndi.ldap.Connection.run(Connection.java:855) >>>> ... 1 more >>>> Caused by: sun.security.validator.ValidatorException: PKIX path >>>> building failed: >>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to find >>>> valid certification path to requested target >>>> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385) >>>> at >>>> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) >>>> at sun.security.validator.Validator.validate(Validator.java:260) >>>> at >>>> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326) >>>> at >>>> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231) >>>> at >>>> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126) >>>> at >>>> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1428) >>>> ... 12 more >>>> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: >>>> unable to find valid certification path to requested target >>>> at >>>> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196) >>>> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268) >>>> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380) >>>> ... 18 more >>>> root@aneela-Lenovo-G50-70:/var/log/ranger/usersync# tail -f >>>> usersync.log >>>> at >>>> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326) >>>> at >>>> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231) >>>> at >>>> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126) >>>> at >>>> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1428) >>>> ... 12 more >>>> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: >>>> unable to find valid certification path to requested target >>>> at >>>> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196) >>>> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268) >>>> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380) >>>> ... 18 more >>>> >>>> >>> >> >
