[
https://issues.apache.org/jira/browse/RANGER-217?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Hari Sekhon updated RANGER-217:
-------------------------------
Description:
When configuring ranger-admin to use LDAPS it seems to not be supported or
breaks with incorrect error.
In install.properties
{code}xa_ldap_url="ldaps://host.domain.com:636"{code}
While attempting to log in to ranger admin web ui,
/var/log/ranger/admin/xa_portal.log shows: {code}2015-01-13 15:54:34,522
[http-bio-6080-exec-3] INFO com.xasecure.security.listener.SpringEventListener
(SpringEventListener.java:87) - Login Unsuccessful:hari | Ip Address:x.x.x.x |
Bad Credentials
{code} I can understand if this is because my LDAPS server uses a self-signed
cert and I need to supply a trusted CA cert but I can't see any setting for
that or find any documentation around Apache Ranger LDAPS. (I use this LDAPS
server with trusted CA cert elsewhere so I know it works)
That Bad Credentials error is clearly wrong because redeploying ranger-admin
using straight LDAP allows login to succeed with the same password:
{code}xa_ldap_url="ldap://host.domain.com:389"{code}
However this is both insecure to only work with plain LDAP.
Required fixes:
1. Add LDAPS support + document
2. Fix error message to be accurate to the problem
Regards,
Hari Sekhon
http://www.linkedin.com/in/harisekhon
was:
When configuring ranger-admin to use LDAPS it seems to not be supported or
breaks with incorrect error.
In install.properties
{code}xa_ldap_url="ldaps://host.domain.com:636"{code}
While attempting to log in to ranger admin web ui,
/var/log/ranger/admin/xa_portal.log shows: {code}2015-01-13 15:54:34,522
[http-bio-6080-exec-3] INFO com.xasecure.security.listener.SpringEventListener
(SpringEventListener.java:87) - Login Unsuccessful:hari | Ip Address:x.x.x.x |
Bad Credentials
{code} I can understand if this is because my LDAPS server uses a self-signed
cert and I need to supply a trusted CA cert but I can't see any setting for
that or find any documentation around Apache Ranger LDAPS. (I use this LDAPS
server with trusted CA cert elsewhere so I know it works)
That Bad Credentials error is clearly wrong because redeploying ranger-admin
using straight LDAP allows login to succeed with the same password:
{code}xa_ldap_url="ldap://host.domain.com:389"{code}
This is both insecure to only work with plain LDAP and also the error message
is wrong since it was the exact same password used on the Ranger Admin web UI
in both cases.
Regards,
Hari Sekhon
http://www.linkedin.com/in/harisekhon
> Add LDAPS support / fix incorrectly returning Bad Credentials for connection
> problem
> ------------------------------------------------------------------------------------
>
> Key: RANGER-217
> URL: https://issues.apache.org/jira/browse/RANGER-217
> Project: Ranger
> Issue Type: Bug
> Affects Versions: 0.4.0
> Environment: HDP 2.2
> Reporter: Hari Sekhon
>
> When configuring ranger-admin to use LDAPS it seems to not be supported or
> breaks with incorrect error.
> In install.properties
> {code}xa_ldap_url="ldaps://host.domain.com:636"{code}
> While attempting to log in to ranger admin web ui,
> /var/log/ranger/admin/xa_portal.log shows: {code}2015-01-13 15:54:34,522
> [http-bio-6080-exec-3] INFO
> com.xasecure.security.listener.SpringEventListener
> (SpringEventListener.java:87) - Login Unsuccessful:hari | Ip Address:x.x.x.x
> | Bad Credentials
> {code} I can understand if this is because my LDAPS server uses a self-signed
> cert and I need to supply a trusted CA cert but I can't see any setting for
> that or find any documentation around Apache Ranger LDAPS. (I use this LDAPS
> server with trusted CA cert elsewhere so I know it works)
> That Bad Credentials error is clearly wrong because redeploying ranger-admin
> using straight LDAP allows login to succeed with the same password:
> {code}xa_ldap_url="ldap://host.domain.com:389"{code}
> However this is both insecure to only work with plain LDAP.
> Required fixes:
> 1. Add LDAPS support + document
> 2. Fix error message to be accurate to the problem
> Regards,
> Hari Sekhon
> http://www.linkedin.com/in/harisekhon
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
