Details
-
Bug
-
Status: Resolved
-
Critical
-
Resolution: Fixed
-
2.7.1
Description
STR:
1. Install Ambari
2. Get certificate for secure LDAP (LDAPS) connection to your AD server.
3. Generate ambari truststore with LDAPS certificate.
4. Setup Ambari to use LDAPS with providing truststore.
2018-08-20 18:38:04,763 DEBUG com.hw.commonuifrm.impl.commands.CommandExecutorImpl.executeCommand(): Sending command [(echo "admin" ; echo "admin") | ambari-server sync-ldap --users /tmp/users.txt --groups /tmp/groups.txt] 2018-08-20 18:38:05,666 DEBUG com.hw.commonuifrm.impl.commands.ProcessDataImpl.buildOutputAndErrorStreamData(): /usr/lib64/python2.7/getpass.py:83: GetPassWarning: Can not control echo on the terminal. passwd = fallback_getpass(prompt, stream) Warning: Password input may be echoed. Enter Ambari Admin password: 2018-08-20 18:38:07,169 INFO com.hw.ambari.ui.util.cluster_managers.LDAPClusterManager.ambariServerSyncLDAPWithAD(): Result: Using python /usr/bin/python Syncing with LDAP... Enter Ambari Admin login: Fetching LDAP configuration from DB. Syncing specified users and groups...ERROR: Exiting with exit code 1. REASON: Caught exception running LDAP sync. ***.com:636; nested exception is javax.naming.CommunicationException: ***.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching ***.com found.] 2018-08-20 18:38:07,170 INFO com.hw.ambari.ui.tests.console.ldap.TestLDAPSOnAD.test010_AmbariSynchronizeWithADThroughLDAPS(): AMBARI LDAPS synchronization result: Using python /usr/bin/python Syncing with LDAP... Enter Ambari Admin login: Fetching LDAP configuration from DB. Syncing specified users and groups...ERROR: Exiting with exit code 1. REASON: Caught exception running LDAP sync. ***.com:636; nested exception is javax.naming.CommunicationException: ***.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching ***.com found.]
The issue is that the AD server's certificate contains a section:
X509v3 Subject Alternative Name: othername:<unsupported>, DNS:***-2.COM
As you can see this is not the same that we use to connect to the AD server (***.com:636). Even if this is a certificate issue the connection could be open and we should be able to sync LDAP users/groups.
Important note: it's reproducible only with OpenJDK (I used openjdk-1.8.0.181-3.b13.el7_5.x86_64); working properly with Oracle's JDK.
Recommended solution
We can disable endpoint identification when the client is negotiating with the server during SSL handshake by setting com.sun.jndi.ldap.object.disableEndpointIdentification to true (see https://github.com/ojdkbuild/lookaside_java-1.8.0-openjdk/blob/master/jdk/src/share/classes/com/sun/jndi/ldap/Connection.java#L386). By default this should not be the case but end users may set this up when configuring LDAP if they face this issue.
Attachments
Issue Links
- relates to
-
-
- Resolved
-
- links to
