Yes following command works fine ldapsearch -x -D "cn=aneela,ou=users,dc=platalytics,dc=com" -W -H ldaps:// platalytics.com:636 -b "dc=platalytics,dc=com" -s sub 'cn=aneela'
On Thu, Oct 1, 2015 at 7:35 PM, Don Bosco Durai <[email protected]> wrote: > It is surprising that it will just stop working. Are you able to do > ldapsearch from command line? Just to make sure there is nothing wrong on > the OpenLDAP side? > > Thanks > > Bosco > > > From: Aneela Saleem <[email protected]> > Reply-To: <[email protected]> > Date: Thursday, October 1, 2015 at 11:55 PM > > To: <[email protected]> > Subject: Re: Issues with usersync (LDAPS certificate not validated) > > I also checked it on another machine. Same issue is there > > On Thu, Oct 1, 2015 at 10:03 PM, Aneela Saleem <[email protected]> > wrote: > >> I guess no JDK changes. And i re-checked certificate infact generated a >> new one. Still same issue. >> >> On Thu, Oct 1, 2015 at 6:16 PM, Dilli Dorai <[email protected]> >> wrote: >> >>> Aneela, >>> Please check whether the certificate has expired. >>> Dilli >>> >>> On Wed, Sep 30, 2015 at 4:28 PM, Don Bosco Durai <[email protected]> >>> wrote: >>> >>>> Any other changes you can think of? JDK changes, etcs? >>>> >>>> Thanks >>>> >>>> Bosco >>>> >>>> >>>> From: Aneela Saleem <[email protected]> >>>> Reply-To: <[email protected]> >>>> Date: Wednesday, September 30, 2015 at 9:37 PM >>>> To: <[email protected]> >>>> Subject: Re: Issues with usersync (LDAPS certificate not validated) >>>> >>>> It was working fine one month ago. But now the same issue is occurred. >>>> >>>> On Wed, Sep 30, 2015 at 2:55 PM, Aneela Saleem <[email protected]> >>>> wrote: >>>> >>>>> Hi all, >>>>> >>>>> I followed all the following steps i.e., >>>>> >>>>> cp /etc/alternatives/java_sdk_1.7.0/jre/lib/security/cacerts >>>>> /usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts >>>>> >>>>> keytool -import -trustcacerts -alias openLdap -file cert.pem >>>>> -keystore /usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts >>>>> (where cert.pem has the the LDAPS cert) >>>>> >>>>> Add java option >>>>> -Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036 >>>>> /ranger-usersync/userSyncCAcerts >>>>> To >>>>> /usr/hdp/2.2.0.0-2036/ranger-usersync/ranger-usersync-services.sh >>>>> >>>>> Where it invokes java command like the following >>>>> >>>>> nohup java >>>>> -Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts >>>>> . . . >>>>> >>>>> >>>>> But i'm unable to sync LDAP contacts in Ranger due to certificates >>>>> validation issues. Following are the logs >>>>> >>>>> 30 Sep 2015 14:48:56 INFO UnixAuthenticationService [main] - Starting >>>>> User Sync Service! >>>>> 30 Sep 2015 14:48:56 INFO UnixAuthenticationService [main] - Enabling >>>>> Unix Auth Service! >>>>> 30 Sep 2015 14:48:56 INFO UserGroupSync [UnixUserSyncThread] - >>>>> initializing sink: >>>>> org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder >>>>> 30 Sep 2015 14:48:57 WARN NativeCodeLoader [main] - Unable to load >>>>> native-hadoop library for your platform... using builtin-java classes >>>>> where >>>>> applicable >>>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling >>>>> Protocol: [SSLv2Hello] >>>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling >>>>> Protocol: [TLSv1] >>>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling >>>>> Protocol: [TLSv1.1] >>>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling >>>>> Protocol: [TLSv1.2] >>>>> 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder [UnixUserSyncThread] - >>>>> LdapUserGroupBuilder created >>>>> 30 Sep 2015 14:48:58 INFO UserGroupSync [UnixUserSyncThread] - >>>>> initializing source: >>>>> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder >>>>> 30 Sep 2015 14:48:58 INFO UserGroupSync [UnixUserSyncThread] - Begin: >>>>> initial load of user/group from source==>sink >>>>> 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder [UnixUserSyncThread] - >>>>> LDAPUserGroupBuilder updateSink started >>>>> 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder [UnixUserSyncThread] - >>>>> LdapUserGroupBuilder initialization started >>>>> 30 Sep 2015 14:48:58 ERROR UserGroupSync [UnixUserSyncThread] - Failed >>>>> to initialize UserGroup source/sink. Will retry after 21600000 >>>>> milliseconds. Error details: >>>>> javax.naming.CommunicationException: simple bind failed: >>>>> platalytics.com:636 [Root exception is >>>>> javax.net.ssl.SSLHandshakeException: >>>>> sun.security.validator.ValidatorException: PKIX path building failed: >>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to find >>>>> valid certification path to requested target] >>>>> at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:218) >>>>> at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2740) >>>>> at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316) >>>>> at >>>>> com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193) >>>>> at >>>>> com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211) >>>>> at >>>>> com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154) >>>>> at >>>>> com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84) >>>>> at >>>>> javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) >>>>> at >>>>> javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307) >>>>> at javax.naming.InitialContext.init(InitialContext.java:242) >>>>> at >>>>> javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:153) >>>>> at >>>>> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.createLdapContext(LdapUserGroupBuilder.java:149) >>>>> at >>>>> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.updateSink(LdapUserGroupBuilder.java:261) >>>>> at >>>>> org.apache.ranger.usergroupsync.UserGroupSync.run(UserGroupSync.java:58) >>>>> at java.lang.Thread.run(Thread.java:745) >>>>> Caused by: javax.net.ssl.SSLHandshakeException: >>>>> sun.security.validator.ValidatorException: PKIX path building failed: >>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to find >>>>> valid certification path to requested target >>>>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) >>>>> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1904) >>>>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:279) >>>>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:273) >>>>> at >>>>> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1446) >>>>> at >>>>> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:209) >>>>> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:913) >>>>> at sun.security.ssl.Handshaker.process_record(Handshaker.java:849) >>>>> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1023) >>>>> at >>>>> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1332) >>>>> at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:709) >>>>> at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:122) >>>>> at >>>>> java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82) >>>>> at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140) >>>>> at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:431) >>>>> at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:404) >>>>> at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:358) >>>>> at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:213) >>>>> ... 14 more >>>>> Caused by: sun.security.validator.ValidatorException: PKIX path >>>>> building failed: >>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to find >>>>> valid certification path to requested target >>>>> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385) >>>>> at >>>>> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) >>>>> at sun.security.validator.Validator.validate(Validator.java:260) >>>>> at >>>>> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326) >>>>> at >>>>> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231) >>>>> at >>>>> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126) >>>>> at >>>>> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1428) >>>>> ... 27 more >>>>> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: >>>>> unable to find valid certification path to requested target >>>>> at >>>>> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196) >>>>> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268) >>>>> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380) >>>>> ... 33 more >>>>> >>>>> And following is the output of nohup command: >>>>> >>>>> Host key verification failed. >>>>> >>>>> Can someone please help me figure out the issue? >>>>> >>>> >>>> >>> >> >
