Hi: I think you can import the CA certificate to Java CA certificate library manually.
Such as : keytool -keystore <$JAVA_CACERTS_PATH> -storepass <changeit> -noprompt -import -trustcacerts -v -alias <CertName> -file <~/xxxx.cer>. The $JAVA_CACERTS_PATH Usually is /etc/pki/java/cacerts, but it depends on how you installed it or what the type of JVM your used. You should know in advance what this path is. In addition, you should provide your certificate name and path to replace <CertName> and <~/xxxx.cer>. > 在 2020年5月21日,09:59,Yaqian Zhang <[email protected]> 写道: > > Hi Preeti: > > Have you read this blog? > https://kylin.apache.org/docs/howto/howto_ldap_and_sso.html > <https://kylin.apache.org/docs/howto/howto_ldap_and_sso.html> > > It mentions a configuration item called > 'kylin.security.ldap.connection-truststore’, when you use the customized CA > certificate library for user authentication based on LDAPs, you need to > configure ‘kylin.security.ldap.connection-truststore’, the value of this > configuration will be added to the JVM parameter javax.net.ssl.trustStore. > > And here is the relevant JIRA issue: > https://issues.apache.org/jira/browse/KYLIN-4271 > <https://issues.apache.org/jira/browse/KYLIN-4271>. > > I hope this information can help you. > > > >> 在 2020年5月21日,08:44,Preeti Vipin <[email protected] >> <mailto:[email protected]>> 写道: >> >> Hi >> >> I am trying to enable LDAP on Kylin 2.6.4 and am running into issues and >> would appreciate any help on how to solve this. My organization requires to >> use secure LDAP so I am using the url like this ldaps://<fully qualified >> domain name>:636. All machines connected to the corporate network have the >> necessary client certificates installed on it for ldaps. I get the error >> listed at the end of the email(I have obfuscated personal values) Do I need >> to do any set up for certificates on the Kylin machines? >> >> Also below are the fields that are available in the config which I have >> enabled. Am I missing anything? >> >> #### SECURITY ### >> # >> ## Spring security profile, options: testing, ldap, saml >> ## with "testing" profile, user can use pre-defined name/pwd like >> KYLIN/ADMIN to login >> kylin.security.profile=ldap >> # >> ## Admin roles in LDAP, for ldap and saml >> #kylin.security.acl.admin-role=admin >> # >> ## LDAP authentication configuration >> kylin.security.ldap.connection-server=ldaps://xx.yy.zz.com:636 >> <ldaps://xx.yy.zz.com:636> >> [email protected] >> <mailto:[email protected]> >> kylin.security.ldap.connection-password=bbb >> # >> ## LDAP user account directory; >> kylin.security.ldap.user-search-base=DC=xx,DC=yy,DC=zz,DC=com >> kylin.security.ldap.user-search-pattern=(&(cn={0})(memberOf=DC=xx,DC=yy,DC=zz,DC=com)) >> >> >> ERROR >> >> 2020-05-15 22:18:11,846 INFO [http-bio-7070-exec-4] common.KylinConfig:334 >> : Use KYLIN_HOME=/usr/bing-kylin/kylin >> 2020-05-15 22:18:25,732 ERROR [http-bio-7070-exec-4] >> security.KylinAuthenticationProvider:123 : Failed to auth user: xxxx >> org.springframework.security.authentication.InternalAuthenticationServiceException: >> simple bind failed: xxx:636; nested exception is >> javax.naming.CommunicationException: simple bind failed: xxx:636 [Root >> exception is javax.net.ssl.SSLHandshakeException: >> sun.security.validator.ValidatorException: PKIX path building failed: >> sun.security.provider.certpath.SunCertPathBuilder Exception: unable to find >> valid certification path to requested target] >> at >> org.springframework.security.ldap.authentication.LdapAuthenticationProvider.doAuthentication(LdapAuthenticationProvider.java:206) >> at >> org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider.authenticate(AbstractLdapAuthenticationProvider.java:85) >> at >> org.apache.kylin.rest.security.KylinAuthenticationProvider.authenticate(KylinAuthenticationProvider.java:94) >> at >> org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:174) >> at >> org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:199) >> at >> org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilterInternal(BasicAuthenticationFilter.java:180) >> at >> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) >> at org.springframework.security.web.FilterChainProxy$VirtualF >> >> >> Thanks >> Preeti >
