You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ambari.apache.org by "Hudson (JIRA)" <ji...@apache.org> on 2018/08/27 18:39:00 UTC

[jira] [Commented] (AMBARI-24533) Ambari Server Ldap Sync Failed upon subject alternative DNS name check

    [ https://issues.apache.org/jira/browse/AMBARI-24533?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16594088#comment-16594088 ] 

Hudson commented on AMBARI-24533:
---------------------------------

FAILURE: Integrated in Jenkins build Ambari-trunk-Commit #9894 (See [https://builds.apache.org/job/Ambari-trunk-Commit/9894/])
AMBARI-24533. Let end users disable endpoint identification during SSL (github: [https://gitbox.apache.org/repos/asf?p=ambari.git&a=commit&h=448756230b4679644425af34728a41af6987e4c0])
* (edit) ambari-server/src/main/java/org/apache/ambari/server/configuration/AmbariServerConfigurationKey.java
* (edit) ambari-server/src/main/java/org/apache/ambari/server/security/authorization/LdapServerProperties.java
* (edit) ambari-server/src/main/java/org/apache/ambari/server/security/ldap/AmbariLdapDataPopulator.java
* (edit) ambari-server/src/main/java/org/apache/ambari/server/ldap/domain/AmbariLdapConfiguration.java
* (edit) ambari-server/src/main/python/ambari-server.py
* (edit) ambari-server/src/main/python/ambari_server/setupSecurity.py
* (edit) ambari-server/src/test/python/TestAmbariServer.py


> Ambari Server Ldap Sync Failed upon subject alternative DNS name check
> ----------------------------------------------------------------------
>
>                 Key: AMBARI-24533
>                 URL: https://issues.apache.org/jira/browse/AMBARI-24533
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-server
>    Affects Versions: 2.7.1
>            Reporter: Sandor Molnar
>            Assignee: Sandor Molnar
>            Priority: Critical
>              Labels: pull-request-available
>             Fix For: 2.7.2
>
>          Time Spent: 1h 40m
>  Remaining Estimate: 0h
>
> STR:
>  1. Install Ambari
>  2. Get certificate for secure LDAP (LDAPS) connection to your AD server.
>  3. Generate ambari truststore with LDAPS certificate.
>  4. Setup Ambari to use LDAPS with providing truststore.
> {code:java}
> 2018-08-20 18:38:04,763 DEBUG com.hw.commonuifrm.impl.commands.CommandExecutorImpl.executeCommand(): Sending command [(echo "admin" ; echo "admin") | ambari-server sync-ldap --users /tmp/users.txt --groups /tmp/groups.txt]
> 2018-08-20 18:38:05,666 DEBUG com.hw.commonuifrm.impl.commands.ProcessDataImpl.buildOutputAndErrorStreamData(): /usr/lib64/python2.7/getpass.py:83: GetPassWarning: Can not control echo on the terminal.
>   passwd = fallback_getpass(prompt, stream)
> Warning: Password input may be echoed.
> Enter Ambari Admin password:
> 2018-08-20 18:38:07,169 INFO com.hw.ambari.ui.util.cluster_managers.LDAPClusterManager.ambariServerSyncLDAPWithAD(): Result: Using python  /usr/bin/python
> Syncing with LDAP...
> Enter Ambari Admin login: 
> Fetching LDAP configuration from DB.
> Syncing specified users and groups...ERROR: Exiting with exit code 1. 
> REASON: Caught exception running LDAP sync. ***.com:636; nested exception is javax.naming.CommunicationException: ***.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching ***.com found.]
> 2018-08-20 18:38:07,170 INFO com.hw.ambari.ui.tests.console.ldap.TestLDAPSOnAD.test010_AmbariSynchronizeWithADThroughLDAPS(): AMBARI LDAPS synchronization result: Using python  /usr/bin/python
> Syncing with LDAP...
> Enter Ambari Admin login: 
> Fetching LDAP configuration from DB.
> Syncing specified users and groups...ERROR: Exiting with exit code 1. 
> REASON: Caught exception running LDAP sync. ***.com:636; nested exception is javax.naming.CommunicationException: ***.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching ***.com found.]{code}
> The issue is that the AD server's certificate contains a section:
> {noformat}
> X509v3 Subject Alternative Name: othername:<unsupported>, DNS:***-2.COM{noformat}
> As you can see this is not the same that we use to connect to the AD server (***.com:636). Even if this is a certificate issue the connection could be open and we should be able to sync LDAP users/groups.
> *Important note*: it's reproducible only with OpenJDK (I used openjdk-1.8.0.181-3.b13.el7_5.x86_64); working properly with Oracle's JDK.
> +*Recommended solution*+
> We can disable endpoint identification when the client is negotiating with the server during SSL handshake by setting _com.sun.jndi.ldap.object.disableEndpointIdentification_ to _true_ (see [https://github.com/ojdkbuild/lookaside_java-1.8.0-openjdk/blob/master/jdk/src/share/classes/com/sun/jndi/ldap/Connection.java#L386]). By default this should not be the case but end users may set this up when configuring LDAP if they face this issue.
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)