It is surprising that it will just stop working. Are you able to do ldapsearch from command line? Just to make sure there is nothing wrong on the OpenLDAP side?
Thanks Bosco From: Aneela Saleem <ane...@platalytics.com> Reply-To: <user@ranger.incubator.apache.org> Date: Thursday, October 1, 2015 at 11:55 PM To: <user@ranger.incubator.apache.org> Subject: Re: Issues with usersync (LDAPS certificate not validated) > I also checked it on another machine. Same issue is there > > On Thu, Oct 1, 2015 at 10:03 PM, Aneela Saleem <ane...@platalytics.com> wrote: >> I guess no JDK changes. And i re-checked certificate infact generated a new >> one. Still same issue. >> >> On Thu, Oct 1, 2015 at 6:16 PM, Dilli Dorai <dilli.do...@gmail.com> wrote: >>> Aneela, >>> Please check whether the certificate has expired. >>> Dilli >>> >>> On Wed, Sep 30, 2015 at 4:28 PM, Don Bosco Durai <bo...@apache.org> wrote: >>>> Any other changes you can think of? JDK changes, etcs? >>>> >>>> Thanks >>>> >>>> Bosco >>>> >>>> >>>> From: Aneela Saleem <ane...@platalytics.com> >>>> Reply-To: <user@ranger.incubator.apache.org> >>>> Date: Wednesday, September 30, 2015 at 9:37 PM >>>> To: <user@ranger.incubator.apache.org> >>>> Subject: Re: Issues with usersync (LDAPS certificate not validated) >>>> >>>>> It was working fine one month ago. But now the same issue is occurred. >>>>> >>>>> On Wed, Sep 30, 2015 at 2:55 PM, Aneela Saleem <ane...@platalytics.com> >>>>> wrote: >>>>>> Hi all, >>>>>> >>>>>> I followed all the following steps i.e., >>>>>> >>>>>> cp /etc/alternatives/java_sdk_1.7.0/jre/lib/security/cacerts >>>>>> /usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts >>>>>> >>>>>> keytool -import -trustcacerts -alias openLdap -file cert.pem -keystore >>>>>> /usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts >>>>>> (where cert.pem has the the LDAPS cert) >>>>>> >>>>>> Add java option >>>>>> -Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036/ranger-usersync/userSync >>>>>> CAcerts >>>>>> To >>>>>> /usr/hdp/2.2.0.0-2036/ranger-usersync/ranger-usersync-services.sh >>>>>> >>>>>> Where it invokes java command like the following >>>>>> >>>>>> nohup java >>>>>> -Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036/ranger-usersync/userSync >>>>>> CAcerts . . . >>>>>> >>>>>> >>>>>> But i'm unable to sync LDAP contacts in Ranger due to certificates >>>>>> validation issues. Following are the logs >>>>>> >>>>>> 30 Sep 2015 14:48:56 INFO UnixAuthenticationService [main] - Starting >>>>>> User Sync Service! >>>>>> 30 Sep 2015 14:48:56 INFO UnixAuthenticationService [main] - Enabling >>>>>> Unix Auth Service! >>>>>> 30 Sep 2015 14:48:56 INFO UserGroupSync [UnixUserSyncThread] - >>>>>> initializing sink: >>>>>> org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder >>>>>> 30 Sep 2015 14:48:57 WARN NativeCodeLoader [main] - Unable to load >>>>>> native-hadoop library for your platform... using builtin-java classes >>>>>> where applicable >>>>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling >>>>>> Protocol: [SSLv2Hello] >>>>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling >>>>>> Protocol: [TLSv1] >>>>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling >>>>>> Protocol: [TLSv1.1] >>>>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling >>>>>> Protocol: [TLSv1.2] >>>>>> 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder [UnixUserSyncThread] - >>>>>> LdapUserGroupBuilder created >>>>>> 30 Sep 2015 14:48:58 INFO UserGroupSync [UnixUserSyncThread] - >>>>>> initializing source: >>>>>> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder >>>>>> 30 Sep 2015 14:48:58 INFO UserGroupSync [UnixUserSyncThread] - Begin: >>>>>> initial load of user/group from source==>sink >>>>>> 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder [UnixUserSyncThread] - >>>>>> LDAPUserGroupBuilder updateSink started >>>>>> 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder [UnixUserSyncThread] - >>>>>> LdapUserGroupBuilder initialization started >>>>>> 30 Sep 2015 14:48:58 ERROR UserGroupSync [UnixUserSyncThread] - Failed to >>>>>> initialize UserGroup source/sink. Will retry after 21600000 milliseconds. >>>>>> Error details: >>>>>> javax.naming.CommunicationException: simple bind failed: >>>>>> platalytics.com:636 <http://platalytics.com:636> [Root exception is >>>>>> javax.net.ssl.SSLHandshakeException: >>>>>> sun.security.validator.ValidatorException: PKIX path building failed: >>>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to >>>>>> find valid certification path to requested target] >>>>>> at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:218) >>>>>> at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2740) >>>>>> at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316) >>>>>> at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193) >>>>>> at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211) >>>>>> at >>>>>> com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:1 >>>>>> 54) >>>>>> at >>>>>> com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84>>>>>> ) >>>>>> at >>>>>> javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) >>>>>> at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307) >>>>>> at javax.naming.InitialContext.init(InitialContext.java:242) >>>>>> at >>>>>> javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:153) >>>>>> at >>>>>> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.createLdapCon >>>>>> text(LdapUserGroupBuilder.java:149) >>>>>> at >>>>>> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.updateSink(Ld >>>>>> apUserGroupBuilder.java:261) >>>>>> at >>>>>> org.apache.ranger.usergroupsync.UserGroupSync.run(UserGroupSync.java:58) >>>>>> at java.lang.Thread.run(Thread.java:745) >>>>>> Caused by: javax.net.ssl.SSLHandshakeException: >>>>>> sun.security.validator.ValidatorException: PKIX path building failed: >>>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to >>>>>> find valid certification path to requested target >>>>>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) >>>>>> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1904) >>>>>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:279) >>>>>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:273) >>>>>> at >>>>>> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java >>>>>> :1446) >>>>>> at >>>>>> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:20 >>>>>> 9) >>>>>> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:913) >>>>>> at sun.security.ssl.Handshaker.process_record(Handshaker.java:849) >>>>>> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1023) >>>>>> at >>>>>> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java >>>>>> :1332) >>>>>> at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:709) >>>>>> at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:122) >>>>>> at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82) >>>>>> at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140) >>>>>> at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:431) >>>>>> at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:404) >>>>>> at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:358) >>>>>> at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:213) >>>>>> ... 14 more >>>>>> Caused by: sun.security.validator.ValidatorException: PKIX path building >>>>>> failed: sun.security.provider.certpath.SunCertPathBuilderException: >>>>>> unable to find valid certification path to requested target >>>>>> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385) >>>>>> at >>>>>> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:29 >>>>>> 2) >>>>>> at sun.security.validator.Validator.validate(Validator.java:260) >>>>>> at >>>>>> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java: >>>>>> 326) >>>>>> at >>>>>> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.j >>>>>> ava:231) >>>>>> at >>>>>> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManager >>>>>> Impl.java:126) >>>>>> at >>>>>> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java >>>>>> :1428) >>>>>> ... 27 more >>>>>> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: >>>>>> unable to find valid certification path to requested target >>>>>> at >>>>>> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPath >>>>>> Builder.java:196) >>>>>> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268) >>>>>> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380) >>>>>> ... 33 more >>>>>> >>>>>> And following is the output of nohup command: >>>>>> >>>>>> Host key verification failed. >>>>>> >>>>>> Can someone please help me figure out the issue? >>>>> >>> >> >
