Thank you Yaqian for the prompt response! The JIRA link was very helpful. Looks like this issue is fixed in Kylin version 3.1 and I am using Kylin version 2.64. So my kylin.properties did not have the kylin.security.ldap.connection-truststore config. I added it and also added the changes in kylin.sh mentioned in the commit to mine.
However I am not very familiar with ldap security so I don't know what the value of kylin.security.ldap.connection-truststore should be. The documentation says "the value of this configuration will be added to the JVM parameter javax.net.ssl.trustStore:" and in the JIRA it says ""kylin.security.ldap.connection-truststore" parameter which is set to be value of "javax.net.ssl.trustStore", I assume we don't set the actual value of the config to "javax.net.ssl.trustStore" as that didn't seem to work. Is this supposed to be the path to the cert store on the client machines e.g "Current User\Trusted Root Certification Authorities\Certificates" Or the name of the certificate? Appreciate any guidance. Thanks Preeti ________________________________ From: Yaqian Zhang <[email protected]> Sent: Wednesday, May 20, 2020 6:59 PM To: [email protected] <[email protected]> Subject: Re: "Unable to find valid certification path" error when trying to enable LDAP Hi Preeti: Have you read this blog? https://kylin.apache.org/docs/howto/howto_ldap_and_sso.html It mentions a configuration item called 'kylin.security.ldap.connection-truststore’, when you use the customized CA certificate library for user authentication based on LDAPs, you need to configure ‘kylin.security.ldap.connection-truststore’, the value of this configuration will be added to the JVM parameter javax.net.ssl.trustStore. And here is the relevant JIRA issue: https://issues.apache.org/jira/browse/KYLIN-4271. I hope this information can help you. 在 2020年5月21日,08:44,Preeti Vipin <[email protected]<mailto:[email protected]>> 写道: Hi I am trying to enable LDAP on Kylin 2.6.4 and am running into issues and would appreciate any help on how to solve this. My organization requires to use secure LDAP so I am using the url like this ldaps://<fully qualified domain name>:636. All machines connected to the corporate network have the necessary client certificates installed on it for ldaps. I get the error listed at the end of the email(I have obfuscated personal values) Do I need to do any set up for certificates on the Kylin machines? Also below are the fields that are available in the config which I have enabled. Am I missing anything? #### SECURITY ### # ## Spring security profile, options: testing, ldap, saml ## with "testing" profile, user can use pre-defined name/pwd like KYLIN/ADMIN to login kylin.security.profile=ldap # ## Admin roles in LDAP, for ldap and saml #kylin.security.acl.admin-role=admin # ## LDAP authentication configuration kylin.security.ldap.connection-server=ldaps://xx.yy.zz.com:636 [email protected]<mailto:[email protected]> kylin.security.ldap.connection-password=bbb # ## LDAP user account directory; kylin.security.ldap.user-search-base=DC=xx,DC=yy,DC=zz,DC=com kylin.security.ldap.user-search-pattern=(&(cn={0})(memberOf=DC=xx,DC=yy,DC=zz,DC=com)) ERROR 2020-05-15 22:18:11,846 INFO [http-bio-7070-exec-4] common.KylinConfig:334 : Use KYLIN_HOME=/usr/bing-kylin/kylin 2020-05-15 22:18:25,732 ERROR [http-bio-7070-exec-4] security.KylinAuthenticationProvider:123 : Failed to auth user: xxxx org.springframework.security.authentication.InternalAuthenticationServiceException: simple bind failed: xxx:636; nested exception is javax.naming.CommunicationException: simple bind failed: xxx:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilder Exception: unable to find valid certification path to requested target] at org.springframework.security.ldap.authentication.LdapAuthenticationProvider.doAuthentication(LdapAuthenticationProvider.java:206) at org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider.authenticate(AbstractLdapAuthenticationProvider.java:85) at org.apache.kylin.rest.security.KylinAuthenticationProvider.authenticate(KylinAuthenticationProvider.java:94) at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:174) at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:199) at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilterInternal(BasicAuthenticationFilter.java:180) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org.springframework.security.web.FilterChainProxy$VirtualF Thanks Preeti
