You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ambari.apache.org by "Sandor Molnar (JIRA)" <ji...@apache.org> on 2018/08/24 07:11:00 UTC

[jira] [Created] (AMBARI-24533) Ambari Server Ldap Sync Failed upon subject alternative DNS name check

Sandor Molnar created AMBARI-24533:
--------------------------------------

             Summary: Ambari Server Ldap Sync Failed upon subject alternative DNS name check
                 Key: AMBARI-24533
                 URL: https://issues.apache.org/jira/browse/AMBARI-24533
             Project: Ambari
          Issue Type: Bug
          Components: ambari-server
    Affects Versions: 2.7.1
            Reporter: Sandor Molnar
            Assignee: Sandor Molnar
             Fix For: 2.7.2


STR:
 1. Install Ambari
 2. Get certificate for secure LDAP (LDAPS) connection to your AD server.
 3. Generate ambari truststore with LDAPS certificate.
 4. Setup Ambari to use LDAPS with providing truststore.
{code:java}
2018-08-20 18:38:04,763 DEBUG com.hw.commonuifrm.impl.commands.CommandExecutorImpl.executeCommand(): Sending command [(echo "admin" ; echo "admin") | ambari-server sync-ldap --users /tmp/users.txt --groups /tmp/groups.txt]


2018-08-20 18:38:05,666 DEBUG com.hw.commonuifrm.impl.commands.ProcessDataImpl.buildOutputAndErrorStreamData(): /usr/lib64/python2.7/getpass.py:83: GetPassWarning: Can not control echo on the terminal.
  passwd = fallback_getpass(prompt, stream)
Warning: Password input may be echoed.
Enter Ambari Admin password:


2018-08-20 18:38:07,169 INFO com.hw.ambari.ui.util.cluster_managers.LDAPClusterManager.ambariServerSyncLDAPWithAD(): Result: Using python  /usr/bin/python
Syncing with LDAP...
Enter Ambari Admin login: 
Fetching LDAP configuration from DB.
Syncing specified users and groups...ERROR: Exiting with exit code 1. 
REASON: Caught exception running LDAP sync. ***.com:636; nested exception is javax.naming.CommunicationException: ***.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching ***.com found.]

2018-08-20 18:38:07,170 INFO com.hw.ambari.ui.tests.console.ldap.TestLDAPSOnAD.test010_AmbariSynchronizeWithADThroughLDAPS(): AMBARI LDAPS synchronization result: Using python  /usr/bin/python
Syncing with LDAP...
Enter Ambari Admin login: 
Fetching LDAP configuration from DB.
Syncing specified users and groups...ERROR: Exiting with exit code 1. 
REASON: Caught exception running LDAP sync. ad-nano.qe.hortonworks.com:636; nested exception is javax.naming.CommunicationException: ad-nano.qe.hortonworks.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching ***.com found.]{code}
The issue is that the AD server's certificate contains a section:
{noformat}
X509v3 Subject Alternative Name: othername:<unsupported>, DNS:***-2.COM{noformat}
As you can see this is not the same that we use to connect to the AD server (***.com:636). Even if this is a certificate issue the connection could be open and we should be able to sync LDAP users/groups.

*Important note*: it's reproducible only with OpenJDK (I used openjdk-1.8.0.181-3.b13.el7_5.x86_64); working properly with Oracle's JDK.

+*Recommended solution*+

We can disable endpoint identification when the client is negotiating with the server during SSL handshake by setting _com.sun.jndi.ldap.object.disableEndpointIdentification_ to _true_ (see https://github.com/ojdkbuild/lookaside_java-1.8.0-openjdk/blob/master/jdk/src/share/classes/com/sun/jndi/ldap/Connection.java#L386). By default this should not be the case but end users may set this up when configuring LDAP if they face this issue.

 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)