Error Validating Ldap Url And Credentials
Data Ingestion & Streaming Data Processing Design & Architecture Governance & Lifecycle Hadoop Core Sandbox & Learning Security Solutions All Tags All Questions All Ideas sasl negotiation failure All Repos All Articles All Users All Badges Leaderboard Login Home / state 08s01 code 0 Data Processing / 0 Question by Sushil Saxena · Jan 19 at 07:20 PM · securityhiveserver2ldap Hiverserver2 LDAP authentication We are using HDP 2.3, Ambari 2.1. I have setup the following: HiveServer2 Authentication = LDAP, hive.server2.authentication.ldap.baseDN: ou = People,o=xx.com hive.server2.authentication.ldap.url = ldaps://my.ldaps.url.net I run the beeline> !connect jdbc:hive2://myHiveServer2:10000/default I can type any username and password, it allows me in. It is not validating the LDAP user authentication. What needs to be done, so that the HiveServer2 jdbc connectivity should run with LDAPS user authentication? Note: I have already tested the below from the Hiverserver2 server and its works fine: ldapsearch -x -H ldaps://my.ldaps.url.net -b o=xx.com "(uid=userid@xx.com)" Comment Add comment · Show 1 10 |6000 characters needed characters left characters exceeded ▼ Viewable by all users Viewable by moderators Viewable by moderators and the original poster Advanced visibility Viewable by all users Artem Ervits ♦ · Feb 03 at 01:32 AM 0 Share @Sushil Saxena are you still having issues with this? Can you accept best answer or provide your workaround? 5 Replies · Add your reply Sort: Votes Created Oldest 2 Answer by Ancil McBarnett · Jan 20 at 03:26 AM Which LDAP? Are you using OpenLDAP? FreeIPA? Active Directory? if you are using AD, you need to set hive.server2.authentication.ldap.Domain not hive.server2.authentication.ldap.baseDN Your Cert? Also how did you import your cert? Did you do a keytool -import? Is it on the same node as the HiveServer2? Can you try importing it into the JAVA_HOME/jre/lib/security/cacerts instead keytool -import -trustcacerts -alias
Portal Partners Developers Community Community CommunityCategoryBoardKnowledge BaseUsers turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type. Showing results for Search instead for Do you mean Browse Cloudera Community News News & Announcements Getting Started Hadoop 101 Beta Releases Configuring and Managing Cloudera Manager Cloudera Director CDH Topics (w/o CM) Using the Platform Batch (MR, YARN, Oozie) Data https://community.hortonworks.com/questions/10633/hiverserver2-ldap-authentication.html Ingest (Sqoop, Flume... Storage (HDFS, HBase... Hue Hive Impala Data Science Search (SolrCloud) Spark Cloudera Labs Data Management Data Discovery, Optimization Security/Sentry Building on the Platform Kite SDK Suggestions Off Topic and Suggestions Cloudera AMA Cloudera Community : Using the Platform : Hue : Hue / Hive Query Browser Error when LDAP is config... https://community.cloudera.com/t5/Web-UI-Hue-Beeswax/Hue-Hive-Query-Browser-Error-when-LDAP-is-configured/td-p/7069 Register · Sign In · Help Reply Topic Options Subscribe to RSS Feed Mark Topic as New Mark Topic as Read Float this Topic to the Top Bookmark Subscribe Printer Friendly Page « Topic Listing « Previous Topic Next Topic » JamesConner Explorer Posts: 19 Registered: 02-06-2014 Hue / Hive Query Browser Error when LDAP is configured [Edited] Options Mark as New Bookmark Subscribe Subscribe to RSS Feed Highlight Print Email to a Friend Report Inappropriate Content 03-04-2014 02:48 PM - edited 03-04-2014 04:36 PM Environment: CDH5B2, using the parcels installation method in Cloudera Manager.Problem: After enabling LDAP authentication against Active Directory for Hue and Hiveserver2 via CM, the Hive Query Browser in Hue gives an error of "Bad status: 3 (Error validating the login)"Hue config:[desktop] [[auth]] backend=desktop.auth.backend.LdapBackend [[ldap]] ldap_url=ldaps://somecompany.com/ nt_domain=somecompany.com base_dn = "DC=somecompany,DC=com" bind_dn = "CN=Bind User,OU=Services,OU=Users,OU=Enterprise,DC=somecompany,DC=com" bind_password = "password" ignore_username_case=true force_username_lowercase=true search_bind_authentication=falseldap_cert=/etc/hue/somecompany.cer use_start_tls = False [[[users]]] user_filter = objectclass=person user_name_attr = sAMAccountName [[[groups]]] group_filter = objectclass=* gro
We're using this blog to answer common questions and provide interesting solutions to the real-world scenarios that our customers encounter every day. http://fusionsecurity.blogspot.com/2011/03/oam-11g-connecting-to-ldap-id-store.html NOTICE: All our post and much more can now be found at http://www.ateam-oracle.com/category/identity-management/ Wednesday, March 23, 2011 OAM 11g Connecting to an LDAP ID store over SSL (LDAPS) Connecting http://www.ssotutorial.com/category/oam/ to an LDAP ID store in OAM 11g over SSL (LDAPS) is a common scenario that many customers may need to implement. Unfortunately the documentation on this subject is scant error validating and can be misleading. So as part of the OAM 11g Academy series, I'd like to discuss this commom scenario. To view the first post on the OAM 11g policy model, as well as the index to the entire OAM 11g Academy series, click here: http://fusionsecurity.blogspot.com/2011/02/oracle-access-manager-11g-academy.html.The documentation to manage data sources can be found in Chapter 3. The section titled error validating ldap "Managing User Identity Store and OAM Administration Registration" describes how to register a new identity store. Specifically, Table 3-2 describes all the possible elements required to register. Looking at the 'LDAP URL' element we have the following:The URL for the LDAP host, including the port number.For example, the default embedded LDAP host might be: ldap://localhost:7001You can also specify ldaps://, which supports SSL_NO_AUTH. That's it! Good luck :) So what does it all mean and what do I do if the LDAPS connection fails?SSL_NO_AUTH basically means a self signed certificate, no authentication required. 1-way and 2-way SSL modes are not supported at this time.Once you setup the identity store using LDAPS you should always test the connection via the 'Test Conenction' button located at the top as shown here: If there are any issues with the connection you will see an error like the one below: You may also find an exception in the oam-diagnostic logs as follows:#### mode and if there is any issue with the certs, webgate communication fails with the OAM server. You can observe the below errors in the logs. OAM diagnostic logs javax.net.ssl.SSLHandshakeException: SSL handshake failed. at org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:426) at org.apache.mina.common.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:405) at org.apache.mina.common.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:40) at org.apache.mina.common.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:823) at org.apache.mina.common.DefaultIoFilterChain$HeadFilter.messageReceived(DefaultIoFilterChain.java:607) at org.apache.mina.common.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:405) at org.apache.mina.common.DefaultIoFilterChain.fireMessageReceived(DefaultIoFilterChain.java:399) at org.apache.mina.common.AbstractPollingIoProcessor.read(AbstractPollingIoProcessor.java:425) at org.apache.mina.common.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:387) at org.apache.mina.common.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:379) at org.apache.mina.common.AbstractPollingIoProcessor.access$400(AbstractPollingIoProcessor.java:43) at org.apache.mina.common.AbstractPollingIoProcessor$Worker.run(AbstractPollingIoProcessor.java:678) at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:51) at oracle.security.am.proxy.oam.mina.CommonJWorkImpl.run(CommonJWorkImpl.java:41) at weblogic.work.j2ee.J2EEWorkManager$WorkWithListener.run(J2EEWorkManager.java:184) at weblogic.work.DaemonWorkThread.run(DaemonWorkThread.java:30) Caused by: javax.net.ssl.SSLException: Received fatal alert: bad_certificate If you don’t know which webgate is having the issue, you can enable the debug trace logs in OAM and you can see the below error along with the SSL handshake error. Client connection closed. Connection id