You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues-all@impala.apache.org by "Tamas Mate (Jira)" <ji...@apache.org> on 2022/09/20 08:19:00 UTC

[jira] [Commented] (IMPALA-11079) ldapsearch fails with 'Operations error' on AD

    [ https://issues.apache.org/jira/browse/IMPALA-11079?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17606982#comment-17606982 ] 

Tamas Mate commented on IMPALA-11079:
-------------------------------------

I played with this a bit, I suspect that the issue could be related to referral chasing, tested the referrals with OpenLDAP which worked as expected and returned {{Following of referrals not supported, ignoring.}} error.

It is likely that not simply the referrals are the root cause but AD paged queries, this exception was experienced with large directories and either using the GC port or making the search base smaller resolved the issue. This lead me to [LDAP Paged Queries with subordinate referrals are not chased properly|https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/ldap-paged-queries-subordinate-referrals-not-chased] article, which explains the issue in more detail.

I need some further testing with the suggested workarounds in this article, although we might not be able to resolve the issue completely without implementing referral chasing in Impala. It is possible that we could get more detailed error by setting {{LDAP_OPT_REFERRALS}} to false, this would make troubleshooting and applying workarounds easier.

> ldapsearch fails with 'Operations error' on AD
> ----------------------------------------------
>
>                 Key: IMPALA-11079
>                 URL: https://issues.apache.org/jira/browse/IMPALA-11079
>             Project: IMPALA
>          Issue Type: Bug
>            Reporter: Tamas Mate
>            Assignee: Tamas Mate
>            Priority: Major
>
> Possibly due to slow ldapsearch execution with active directory the request fails with {{{}Operations error{}}}.
> *Exception:*
> {code:none}
> I0119 19:47:54.844750   613 ldap-search-bind.cc:101] Trying LDAP user search for: <REDACTED>
> W0119 19:47:54.937628   613 ldap-util.cc:196] LDAP search failed with base DN=<REDACTED> and filter=<REDACTED> : Operations error
> W0119 19:47:54.937925   613 ldap-search-bind.cc:106] LDAP search failed with base DN=<REDACTED> and filter:<REDACTED>. 0 entries have been found, expected a unique result.
> E0119 19:47:54.938019   613 authentication.cc:231] SASL message (LDAP): Password verification failed
> {code}
> *Workaround:*
> Generally, using the AD GC port resolves the issue, these are 3268 (LDAP) and 3269 (LDAPS).



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscribe@impala.apache.org
For additional commands, e-mail: issues-all-help@impala.apache.org