Robert Levas created AMBARI-24827:
-------------------------------------
Summary: LDAP users fail to authenticate using LDAPS due to `No
subject alternative DNS name` exception
Key: AMBARI-24827
URL: https://issues.apache.org/jira/browse/AMBARI-24827
Project: Ambari
Issue Type: Bug
Components: ambari-server
Affects Versions: 2.6.2
Reporter: Robert Levas
Assignee: Robert Levas
Fix For: 2.7.3
LDAP users fail to authenticate using LDAPS due to `No subject alternative DNS
name` exception:
{noformat}
25 Oct 2018 18:42:49,817 WARN [ambari-client-thread-37]
AmbariLdapAuthenticationProvider:84 - Failed to communicate with the LDAP
server: simple bind failed: ad.example.com:636; nested exception is
javax.naming.CommunicationException: simple bind failed: ad.example.com:636
[Root exception is javax.net.ssl.SSLHandshakeException:
java.security.cert.CertificateException: No subject alternative DNS name
matching ad.example.com found.]
{noformat}
This is the other half of the issue from AMBARI-24533 (which was related to the
LDAP sync process).
Note: If LDAP sync is performed before a user attempts to log in, then the
issue will not be seen since the system property,
{{com.sun.jndi.ldap.object.disableEndpointIdentification}}, would have already
been set to "true". However, the logic path setting this value is not reached
for an authentication attempt.
Note: This occurs with OpenJDK 1.8.0.191 and maybe some earlier versions.
{noformat}
openjdk version "1.8.0_191"
OpenJDK Runtime Environment (build 1.8.0_191-b12)
OpenJDK 64-Bit Server VM (build 25.191-b12, mixed mode)
{noformat}
This does not occur with Oracle JDK 1.8.0.112
{noformat}
java version "1.8.0_112"
Java(TM) SE Runtime Environment (build 1.8.0_112-b15)
Java HotSpot(TM) 64-Bit Server VM (build 25.112-b15, mixed mode)
{noformat}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
