[
https://issues.apache.org/jira/browse/IMPALA-11079?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17606982#comment-17606982
]
Tamas Mate commented on IMPALA-11079:
-------------------------------------
I played with this a bit, I suspect that the issue could be related to referral
chasing, tested the referrals with OpenLDAP which worked as expected and
returned {{Following of referrals not supported, ignoring.}} error.
It is likely that not simply the referrals are the root cause but AD paged
queries, this exception was experienced with large directories and either using
the GC port or making the search base smaller resolved the issue. This lead me
to [LDAP Paged Queries with subordinate referrals are not chased
properly|https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/ldap-paged-queries-subordinate-referrals-not-chased]
article, which explains the issue in more detail.
I need some further testing with the suggested workarounds in this article,
although we might not be able to resolve the issue completely without
implementing referral chasing in Impala. It is possible that we could get more
detailed error by setting {{LDAP_OPT_REFERRALS}} to false, this would make
troubleshooting and applying workarounds easier.
> ldapsearch fails with 'Operations error' on AD
> ----------------------------------------------
>
> Key: IMPALA-11079
> URL: https://issues.apache.org/jira/browse/IMPALA-11079
> Project: IMPALA
> Issue Type: Bug
> Reporter: Tamas Mate
> Assignee: Tamas Mate
> Priority: Major
>
> Possibly due to slow ldapsearch execution with active directory the request
> fails with {{{}Operations error{}}}.
> *Exception:*
> {code:none}
> I0119 19:47:54.844750 613 ldap-search-bind.cc:101] Trying LDAP user search
> for: <REDACTED>
> W0119 19:47:54.937628 613 ldap-util.cc:196] LDAP search failed with base
> DN=<REDACTED> and filter=<REDACTED> : Operations error
> W0119 19:47:54.937925 613 ldap-search-bind.cc:106] LDAP search failed with
> base DN=<REDACTED> and filter:<REDACTED>. 0 entries have been found, expected
> a unique result.
> E0119 19:47:54.938019 613 authentication.cc:231] SASL message (LDAP):
> Password verification failed
> {code}
> *Workaround:*
> Generally, using the AD GC port resolves the issue, these are 3268 (LDAP) and
> 3269 (LDAPS).
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
