[ https://issues.apache.org/jira/browse/RANGER-217?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Hari Sekhon updated RANGER-217:
-------------------------------
Description:
When configuring ranger-admin to use LDAPS it seems to not be supported or breaks with incorrect
error.
In install.properties
{code}xa_ldap_url="ldaps://host.domain.com:636"{code}
While attempting to log in to ranger admin web ui, /var/log/ranger/admin/xa_portal.log shows:
{code}2015-01-13 15:54:34,522 [http-bio-6080-exec-3] INFO com.xasecure.security.listener.SpringEventListener
(SpringEventListener.java:87) - Login Unsuccessful:hari | Ip Address:x.x.x.x | Bad Credentials
{code} I could understand if this is because my LDAPS server uses a self-signed cert and I
need to supply a trusted CA cert but I can't see any setting for that or find any documentation
around Apache Ranger LDAPS. (I use this LDAPS server with trusted CA cert elsewhere so I know
it works)
That Bad Credentials error is clearly wrong because redeploying ranger-admin using straight
LDAP allows login to succeed with the same password:
{code}xa_ldap_url="ldap://host.domain.com:389"{code}
However it's insecure to only work with plain LDAP.
Required fixes:
1. Add LDAPS support + document
2. Fix error message to be accurate to the problem
Regards,
Hari Sekhon
http://www.linkedin.com/in/harisekhon
was:
When configuring ranger-admin to use LDAPS it seems to not be supported or breaks with incorrect
error.
In install.properties
{code}xa_ldap_url="ldaps://host.domain.com:636"{code}
While attempting to log in to ranger admin web ui, /var/log/ranger/admin/xa_portal.log shows:
{code}2015-01-13 15:54:34,522 [http-bio-6080-exec-3] INFO com.xasecure.security.listener.SpringEventListener
(SpringEventListener.java:87) - Login Unsuccessful:hari | Ip Address:x.x.x.x | Bad Credentials
{code} I could understand if this is because my LDAPS server uses a self-signed cert and I
need to supply a trusted CA cert but I can't see any setting for that or find any documentation
around Apache Ranger LDAPS. (I use this LDAPS server with trusted CA cert elsewhere so I know
it works)
That Bad Credentials error is clearly wrong because redeploying ranger-admin using straight
LDAP allows login to succeed with the same password:
{code}xa_ldap_url="ldap://host.domain.com:389"{code}
However this is both insecure to only work with plain LDAP.
Required fixes:
1. Add LDAPS support + document
2. Fix error message to be accurate to the problem
Regards,
Hari Sekhon
http://www.linkedin.com/in/harisekhon
> Add LDAPS support / fix incorrectly returning Bad Credentials for connection problem
> ------------------------------------------------------------------------------------
>
> Key: RANGER-217
> URL: https://issues.apache.org/jira/browse/RANGER-217
> Project: Ranger
> Issue Type: Bug
> Affects Versions: 0.4.0
> Environment: HDP 2.2
> Reporter: Hari Sekhon
>
> When configuring ranger-admin to use LDAPS it seems to not be supported or breaks with
incorrect error.
> In install.properties
> {code}xa_ldap_url="ldaps://host.domain.com:636"{code}
> While attempting to log in to ranger admin web ui, /var/log/ranger/admin/xa_portal.log
shows: {code}2015-01-13 15:54:34,522 [http-bio-6080-exec-3] INFO com.xasecure.security.listener.SpringEventListener
(SpringEventListener.java:87) - Login Unsuccessful:hari | Ip Address:x.x.x.x | Bad Credentials
> {code} I could understand if this is because my LDAPS server uses a self-signed cert
and I need to supply a trusted CA cert but I can't see any setting for that or find any documentation
around Apache Ranger LDAPS. (I use this LDAPS server with trusted CA cert elsewhere so I know
it works)
> That Bad Credentials error is clearly wrong because redeploying ranger-admin using straight
LDAP allows login to succeed with the same password:
> {code}xa_ldap_url="ldap://host.domain.com:389"{code}
> However it's insecure to only work with plain LDAP.
> Required fixes:
> 1. Add LDAPS support + document
> 2. Fix error message to be accurate to the problem
> Regards,
> Hari Sekhon
> http://www.linkedin.com/in/harisekhon
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
|