You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ambari.apache.org by "Sandor Molnar (JIRA)" <ji...@apache.org> on 2018/08/24 07:12:00 UTC
[jira] [Updated] (AMBARI-24533) Ambari Server Ldap Sync Failed upon
subject alternative DNS name check
[ https://issues.apache.org/jira/browse/AMBARI-24533?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sandor Molnar updated AMBARI-24533:
-----------------------------------
Description:
STR:
1. Install Ambari
2. Get certificate for secure LDAP (LDAPS) connection to your AD server.
3. Generate ambari truststore with LDAPS certificate.
4. Setup Ambari to use LDAPS with providing truststore.
{code:java}
2018-08-20 18:38:04,763 DEBUG com.hw.commonuifrm.impl.commands.CommandExecutorImpl.executeCommand(): Sending command [(echo "admin" ; echo "admin") | ambari-server sync-ldap --users /tmp/users.txt --groups /tmp/groups.txt]
2018-08-20 18:38:05,666 DEBUG com.hw.commonuifrm.impl.commands.ProcessDataImpl.buildOutputAndErrorStreamData(): /usr/lib64/python2.7/getpass.py:83: GetPassWarning: Can not control echo on the terminal.
passwd = fallback_getpass(prompt, stream)
Warning: Password input may be echoed.
Enter Ambari Admin password:
2018-08-20 18:38:07,169 INFO com.hw.ambari.ui.util.cluster_managers.LDAPClusterManager.ambariServerSyncLDAPWithAD(): Result: Using python /usr/bin/python
Syncing with LDAP...
Enter Ambari Admin login:
Fetching LDAP configuration from DB.
Syncing specified users and groups...ERROR: Exiting with exit code 1.
REASON: Caught exception running LDAP sync. ***.com:636; nested exception is javax.naming.CommunicationException: ***.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching ***.com found.]
2018-08-20 18:38:07,170 INFO com.hw.ambari.ui.tests.console.ldap.TestLDAPSOnAD.test010_AmbariSynchronizeWithADThroughLDAPS(): AMBARI LDAPS synchronization result: Using python /usr/bin/python
Syncing with LDAP...
Enter Ambari Admin login:
Fetching LDAP configuration from DB.
Syncing specified users and groups...ERROR: Exiting with exit code 1.
REASON: Caught exception running LDAP sync. ***.com:636; nested exception is javax.naming.CommunicationException: ***.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching ***.com found.]{code}
The issue is that the AD server's certificate contains a section:
{noformat}
X509v3 Subject Alternative Name: othername:<unsupported>, DNS:***-2.COM{noformat}
As you can see this is not the same that we use to connect to the AD server (***.com:636). Even if this is a certificate issue the connection could be open and we should be able to sync LDAP users/groups.
*Important note*: it's reproducible only with OpenJDK (I used openjdk-1.8.0.181-3.b13.el7_5.x86_64); working properly with Oracle's JDK.
+*Recommended solution*+
We can disable endpoint identification when the client is negotiating with the server during SSL handshake by setting _com.sun.jndi.ldap.object.disableEndpointIdentification_ to _true_ (see [https://github.com/ojdkbuild/lookaside_java-1.8.0-openjdk/blob/master/jdk/src/share/classes/com/sun/jndi/ldap/Connection.java#L386]). By default this should not be the case but end users may set this up when configuring LDAP if they face this issue.
was:
STR:
1. Install Ambari
2. Get certificate for secure LDAP (LDAPS) connection to your AD server.
3. Generate ambari truststore with LDAPS certificate.
4. Setup Ambari to use LDAPS with providing truststore.
{code:java}
2018-08-20 18:38:04,763 DEBUG com.hw.commonuifrm.impl.commands.CommandExecutorImpl.executeCommand(): Sending command [(echo "admin" ; echo "admin") | ambari-server sync-ldap --users /tmp/users.txt --groups /tmp/groups.txt]
2018-08-20 18:38:05,666 DEBUG com.hw.commonuifrm.impl.commands.ProcessDataImpl.buildOutputAndErrorStreamData(): /usr/lib64/python2.7/getpass.py:83: GetPassWarning: Can not control echo on the terminal.
passwd = fallback_getpass(prompt, stream)
Warning: Password input may be echoed.
Enter Ambari Admin password:
2018-08-20 18:38:07,169 INFO com.hw.ambari.ui.util.cluster_managers.LDAPClusterManager.ambariServerSyncLDAPWithAD(): Result: Using python /usr/bin/python
Syncing with LDAP...
Enter Ambari Admin login:
Fetching LDAP configuration from DB.
Syncing specified users and groups...ERROR: Exiting with exit code 1.
REASON: Caught exception running LDAP sync. ***.com:636; nested exception is javax.naming.CommunicationException: ***.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching ***.com found.]
2018-08-20 18:38:07,170 INFO com.hw.ambari.ui.tests.console.ldap.TestLDAPSOnAD.test010_AmbariSynchronizeWithADThroughLDAPS(): AMBARI LDAPS synchronization result: Using python /usr/bin/python
Syncing with LDAP...
Enter Ambari Admin login:
Fetching LDAP configuration from DB.
Syncing specified users and groups...ERROR: Exiting with exit code 1.
REASON: Caught exception running LDAP sync. ad-nano.qe.hortonworks.com:636; nested exception is javax.naming.CommunicationException: ad-nano.qe.hortonworks.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching ***.com found.]{code}
The issue is that the AD server's certificate contains a section:
{noformat}
X509v3 Subject Alternative Name: othername:<unsupported>, DNS:***-2.COM{noformat}
As you can see this is not the same that we use to connect to the AD server (***.com:636). Even if this is a certificate issue the connection could be open and we should be able to sync LDAP users/groups.
*Important note*: it's reproducible only with OpenJDK (I used openjdk-1.8.0.181-3.b13.el7_5.x86_64); working properly with Oracle's JDK.
+*Recommended solution*+
We can disable endpoint identification when the client is negotiating with the server during SSL handshake by setting _com.sun.jndi.ldap.object.disableEndpointIdentification_ to _true_ (see https://github.com/ojdkbuild/lookaside_java-1.8.0-openjdk/blob/master/jdk/src/share/classes/com/sun/jndi/ldap/Connection.java#L386). By default this should not be the case but end users may set this up when configuring LDAP if they face this issue.
> Ambari Server Ldap Sync Failed upon subject alternative DNS name check
> ----------------------------------------------------------------------
>
> Key: AMBARI-24533
> URL: https://issues.apache.org/jira/browse/AMBARI-24533
> Project: Ambari
> Issue Type: Bug
> Components: ambari-server
> Affects Versions: 2.7.1
> Reporter: Sandor Molnar
> Assignee: Sandor Molnar
> Priority: Critical
> Fix For: 2.7.2
>
>
> STR:
> 1. Install Ambari
> 2. Get certificate for secure LDAP (LDAPS) connection to your AD server.
> 3. Generate ambari truststore with LDAPS certificate.
> 4. Setup Ambari to use LDAPS with providing truststore.
> {code:java}
> 2018-08-20 18:38:04,763 DEBUG com.hw.commonuifrm.impl.commands.CommandExecutorImpl.executeCommand(): Sending command [(echo "admin" ; echo "admin") | ambari-server sync-ldap --users /tmp/users.txt --groups /tmp/groups.txt]
> 2018-08-20 18:38:05,666 DEBUG com.hw.commonuifrm.impl.commands.ProcessDataImpl.buildOutputAndErrorStreamData(): /usr/lib64/python2.7/getpass.py:83: GetPassWarning: Can not control echo on the terminal.
> passwd = fallback_getpass(prompt, stream)
> Warning: Password input may be echoed.
> Enter Ambari Admin password:
> 2018-08-20 18:38:07,169 INFO com.hw.ambari.ui.util.cluster_managers.LDAPClusterManager.ambariServerSyncLDAPWithAD(): Result: Using python /usr/bin/python
> Syncing with LDAP...
> Enter Ambari Admin login:
> Fetching LDAP configuration from DB.
> Syncing specified users and groups...ERROR: Exiting with exit code 1.
> REASON: Caught exception running LDAP sync. ***.com:636; nested exception is javax.naming.CommunicationException: ***.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching ***.com found.]
> 2018-08-20 18:38:07,170 INFO com.hw.ambari.ui.tests.console.ldap.TestLDAPSOnAD.test010_AmbariSynchronizeWithADThroughLDAPS(): AMBARI LDAPS synchronization result: Using python /usr/bin/python
> Syncing with LDAP...
> Enter Ambari Admin login:
> Fetching LDAP configuration from DB.
> Syncing specified users and groups...ERROR: Exiting with exit code 1.
> REASON: Caught exception running LDAP sync. ***.com:636; nested exception is javax.naming.CommunicationException: ***.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching ***.com found.]{code}
> The issue is that the AD server's certificate contains a section:
> {noformat}
> X509v3 Subject Alternative Name: othername:<unsupported>, DNS:***-2.COM{noformat}
> As you can see this is not the same that we use to connect to the AD server (***.com:636). Even if this is a certificate issue the connection could be open and we should be able to sync LDAP users/groups.
> *Important note*: it's reproducible only with OpenJDK (I used openjdk-1.8.0.181-3.b13.el7_5.x86_64); working properly with Oracle's JDK.
> +*Recommended solution*+
> We can disable endpoint identification when the client is negotiating with the server during SSL handshake by setting _com.sun.jndi.ldap.object.disableEndpointIdentification_ to _true_ (see [https://github.com/ojdkbuild/lookaside_java-1.8.0-openjdk/blob/master/jdk/src/share/classes/com/sun/jndi/ldap/Connection.java#L386]). By default this should not be the case but end users may set this up when configuring LDAP if they face this issue.
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)