Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
2.7.3
Description
LDAP users fail to authenticate using LDAPS due to `No subject alternative DNS name` exception:
2018-10-26 14:49:45,716 WARN [ambari-client-thread-37] AmbariLdapAuthenticationProvider:126 - Failed to communicate with the LDAP server: simple bind failed: ad.example.com:636; nested exception is javax.naming.CommunicationException: simple bind failed: ad.example.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching ad.example.com found.]
This is the other half of the issue from AMBARI-24533 (which was related to the LDAP sync process).
Note: If LDAP sync is performed before a user attempts to log in, then the issue will not be seen since the system property, com.sun.jndi.ldap.object.disableEndpointIdentification, would have already been set to "true". However, the logic path setting this value is not reached for an authentication attempt.
Note: This occurs with OpenJDK 1.8.0.191 and maybe some earlier versions.
openjdk version "1.8.0_191" OpenJDK Runtime Environment (build 1.8.0_191-b12) OpenJDK 64-Bit Server VM (build 25.191-b12, mixed mode)
This does not occur with Oracle JDK 1.8.0.112
java version "1.8.0_112" Java(TM) SE Runtime Environment (build 1.8.0_112-b15) Java HotSpot(TM) 64-Bit Server VM (build 25.112-b15, mixed mode)
Attachments
Issue Links
- is related to
-
-
- Resolved
-
- links to
