Hi Preeti: Have you read this blog? https://kylin.apache.org/docs/howto/howto_ldap_and_sso.html <https://kylin.apache.org/docs/howto/howto_ldap_and_sso.html>
It mentions a configuration item called 'kylin.security.ldap.connection-truststore’, when you use the customized CA certificate library for user authentication based on LDAPs, you need to configure ‘kylin.security.ldap.connection-truststore’, the value of this configuration will be added to the JVM parameter javax.net.ssl.trustStore. And here is the relevant JIRA issue: https://issues.apache.org/jira/browse/KYLIN-4271 <https://issues.apache.org/jira/browse/KYLIN-4271>. I hope this information can help you. > 在 2020年5月21日,08:44,Preeti Vipin <[email protected]> 写道: > > Hi > > I am trying to enable LDAP on Kylin 2.6.4 and am running into issues and > would appreciate any help on how to solve this. My organization requires to > use secure LDAP so I am using the url like this ldaps://<fully qualified > domain name>:636. All machines connected to the corporate network have the > necessary client certificates installed on it for ldaps. I get the error > listed at the end of the email(I have obfuscated personal values) Do I need > to do any set up for certificates on the Kylin machines? > > Also below are the fields that are available in the config which I have > enabled. Am I missing anything? > > #### SECURITY ### > # > ## Spring security profile, options: testing, ldap, saml > ## with "testing" profile, user can use pre-defined name/pwd like KYLIN/ADMIN > to login > kylin.security.profile=ldap > # > ## Admin roles in LDAP, for ldap and saml > #kylin.security.acl.admin-role=admin > # > ## LDAP authentication configuration > kylin.security.ldap.connection-server=ldaps://xx.yy.zz.com:636 > <ldaps://xx.yy.zz.com:636> > [email protected] > <mailto:[email protected]> > kylin.security.ldap.connection-password=bbb > # > ## LDAP user account directory; > kylin.security.ldap.user-search-base=DC=xx,DC=yy,DC=zz,DC=com > kylin.security.ldap.user-search-pattern=(&(cn={0})(memberOf=DC=xx,DC=yy,DC=zz,DC=com)) > > > ERROR > > 2020-05-15 22:18:11,846 INFO [http-bio-7070-exec-4] common.KylinConfig:334 : > Use KYLIN_HOME=/usr/bing-kylin/kylin > 2020-05-15 22:18:25,732 ERROR [http-bio-7070-exec-4] > security.KylinAuthenticationProvider:123 : Failed to auth user: xxxx > org.springframework.security.authentication.InternalAuthenticationServiceException: > simple bind failed: xxx:636; nested exception is > javax.naming.CommunicationException: simple bind failed: xxx:636 [Root > exception is javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilder Exception: unable to find > valid certification path to requested target] > at > org.springframework.security.ldap.authentication.LdapAuthenticationProvider.doAuthentication(LdapAuthenticationProvider.java:206) > at > org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider.authenticate(AbstractLdapAuthenticationProvider.java:85) > at > org.apache.kylin.rest.security.KylinAuthenticationProvider.authenticate(KylinAuthenticationProvider.java:94) > at > org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:174) > at > org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:199) > at > org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilterInternal(BasicAuthenticationFilter.java:180) > at > org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) > at org.springframework.security.web.FilterChainProxy$VirtualF > > > Thanks > Preeti
