You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ambari.apache.org by "Hudson (JIRA)" <ji...@apache.org> on 2018/10/26 20:44:00 UTC

[jira] [Commented] (AMBARI-24827) LDAP users fail to authenticate using LDAPS due to 'No subject alternative DNS name' exception

    [ https://issues.apache.org/jira/browse/AMBARI-24827?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16665654#comment-16665654 ] 

Hudson commented on AMBARI-24827:
---------------------------------

FAILURE: Integrated in Jenkins build Ambari-trunk-Commit #10253 (See [https://builds.apache.org/job/Ambari-trunk-Commit/10253/])
[AMBARI-24827] LDAP users fail to authenticate using LDAPS due to 'No (rlevas: [https://gitbox.apache.org/repos/asf?p=ambari.git&a=commit&h=2f81272700b241a430ceb226dab4209c66a8dae7])
* (edit) ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog270.java
* (edit) ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProvider.java


> LDAP users fail to authenticate using LDAPS due to 'No subject alternative DNS name' exception
> ----------------------------------------------------------------------------------------------
>
>                 Key: AMBARI-24827
>                 URL: https://issues.apache.org/jira/browse/AMBARI-24827
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-server
>    Affects Versions: 2.7.3
>            Reporter: Robert Levas
>            Assignee: Robert Levas
>            Priority: Major
>              Labels: pull-request-available
>             Fix For: 2.7.3
>
>          Time Spent: 1h 40m
>  Remaining Estimate: 0h
>
> LDAP users fail to authenticate using LDAPS due to `No subject alternative DNS name` exception:
> {noformat}
> 2018-10-26 14:49:45,716  WARN [ambari-client-thread-37] AmbariLdapAuthenticationProvider:126 - Failed to communicate with the LDAP server: simple bind failed: ad.example.com:636; nested exception is javax.naming.CommunicationException: simple bind failed: ad.example.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching ad.example.com found.]
> {noformat}
> This is the other half of the issue from AMBARI-24533 (which was related to the LDAP sync process).  
> Note:  If LDAP sync is performed before a user attempts to log in, then the issue will not be seen since the system property, {{com.sun.jndi.ldap.object.disableEndpointIdentification}}, would have already been set to "true".   However, the logic path setting this value is not reached for an authentication attempt. 
> Note: This occurs with OpenJDK 1.8.0.191 and maybe some earlier versions.
> {noformat}
> openjdk version "1.8.0_191"
> OpenJDK Runtime Environment (build 1.8.0_191-b12)
> OpenJDK 64-Bit Server VM (build 25.191-b12, mixed mode)
> {noformat}
> This does not occur with Oracle JDK 1.8.0.112
> {noformat}
> java version "1.8.0_112"
> Java(TM) SE Runtime Environment (build 1.8.0_112-b15)
> Java HotSpot(TM) 64-Bit Server VM (build 25.112-b15, mixed mode)
> {noformat}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)