ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hari Sekhon (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (RANGER-217) Add LDAPS support / fix incorrectly returning Bad Credentials for connection problem
Date Tue, 13 Jan 2015 16:09:34 GMT

     [ https://issues.apache.org/jira/browse/RANGER-217?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Hari Sekhon updated RANGER-217:
-------------------------------
    Description: 
When configuring ranger-admin to use LDAPS it seems to not be supported or breaks with incorrect
error.

In install.properties
{code}xa_ldap_url="ldaps://host.domain.com:636"{code}
While attempting to log in to ranger admin web ui, /var/log/ranger/admin/xa_portal.log shows:
{code}2015-01-13 15:54:34,522 [http-bio-6080-exec-3] INFO  com.xasecure.security.listener.SpringEventListener
(SpringEventListener.java:87) - Login Unsuccessful:hari | Ip Address:x.x.x.x | Bad Credentials
{code} I can understand if this is because my LDAPS server uses a self-signed cert and I need
to supply a trusted CA cert but I can't see any setting for that or find any documentation
around Apache Ranger LDAPS. (I use this LDAPS server with trusted CA cert elsewhere so I know
it works)

That Bad Credentials error is clearly wrong because redeploying ranger-admin using straight
LDAP allows login to succeed with the same password:
{code}xa_ldap_url="ldap://host.domain.com:389"{code}
However this is both insecure to only work with plain LDAP.

Required fixes:

1. Add LDAPS support + document
2. Fix error message to be accurate to the problem

Regards,

Hari Sekhon
http://www.linkedin.com/in/harisekhon

  was:
When configuring ranger-admin to use LDAPS it seems to not be supported or breaks with incorrect
error.

In install.properties
{code}xa_ldap_url="ldaps://host.domain.com:636"{code}
While attempting to log in to ranger admin web ui, /var/log/ranger/admin/xa_portal.log shows:
{code}2015-01-13 15:54:34,522 [http-bio-6080-exec-3] INFO  com.xasecure.security.listener.SpringEventListener
(SpringEventListener.java:87) - Login Unsuccessful:hari | Ip Address:x.x.x.x | Bad Credentials
{code} I can understand if this is because my LDAPS server uses a self-signed cert and I need
to supply a trusted CA cert but I can't see any setting for that or find any documentation
around Apache Ranger LDAPS. (I use this LDAPS server with trusted CA cert elsewhere so I know
it works)

That Bad Credentials error is clearly wrong because redeploying ranger-admin using straight
LDAP allows login to succeed with the same password:
{code}xa_ldap_url="ldap://host.domain.com:389"{code}
This is both insecure to only work with plain LDAP and also the error message is wrong since
it was the exact same password used on the Ranger Admin web UI in both cases.

Regards,

Hari Sekhon
http://www.linkedin.com/in/harisekhon


> Add LDAPS support / fix incorrectly returning Bad Credentials for connection problem
> ------------------------------------------------------------------------------------
>
>                 Key: RANGER-217
>                 URL: https://issues.apache.org/jira/browse/RANGER-217
>             Project: Ranger
>          Issue Type: Bug
>    Affects Versions: 0.4.0
>         Environment: HDP 2.2
>            Reporter: Hari Sekhon
>
> When configuring ranger-admin to use LDAPS it seems to not be supported or breaks with
incorrect error.
> In install.properties
> {code}xa_ldap_url="ldaps://host.domain.com:636"{code}
> While attempting to log in to ranger admin web ui, /var/log/ranger/admin/xa_portal.log
shows: {code}2015-01-13 15:54:34,522 [http-bio-6080-exec-3] INFO  com.xasecure.security.listener.SpringEventListener
(SpringEventListener.java:87) - Login Unsuccessful:hari | Ip Address:x.x.x.x | Bad Credentials
> {code} I can understand if this is because my LDAPS server uses a self-signed cert and
I need to supply a trusted CA cert but I can't see any setting for that or find any documentation
around Apache Ranger LDAPS. (I use this LDAPS server with trusted CA cert elsewhere so I know
it works)
> That Bad Credentials error is clearly wrong because redeploying ranger-admin using straight
LDAP allows login to succeed with the same password:
> {code}xa_ldap_url="ldap://host.domain.com:389"{code}
> However this is both insecure to only work with plain LDAP.
> Required fixes:
> 1. Add LDAPS support + document
> 2. Fix error message to be accurate to the problem
> Regards,
> Hari Sekhon
> http://www.linkedin.com/in/harisekhon



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message