No there are no intermediate certificates. No i'm not using same trust store for performing ldapsearch. I'm using *TLS_CACERT /etc/ldap/cacert.pem* option in ldap.conf file
On Mon, Oct 5, 2015 at 10:12 PM, Sailaja Polavarapu < [email protected]> wrote: > Are there any intermediate certs? If so, are they also added in the trust > store? > And just to make sure, in the ldap configuration, are you using same trust > store for performing ldapsearch? > > > From: Aneela Saleem > Reply-To: "[email protected]" > Date: Sunday, October 4, 2015 at 10:15 AM > > To: "[email protected]" > Subject: Re: Issues with usersync (LDAPS certificate not validated) > > Is there any issue with JAVA keystore? > > On Fri, Oct 2, 2015 at 9:59 AM, Aneela Saleem <[email protected]> > wrote: > >> Yes following command works fine >> >> ldapsearch -x -D "cn=aneela,ou=users,dc=platalytics,dc=com" -W -H ldaps:// >> platalytics.com:636 -b "dc=platalytics,dc=com" -s sub 'cn=aneela' >> >> On Thu, Oct 1, 2015 at 7:35 PM, Don Bosco Durai <[email protected]> wrote: >> >>> It is surprising that it will just stop working. Are you able to do >>> ldapsearch from command line? Just to make sure there is nothing wrong on >>> the OpenLDAP side? >>> >>> Thanks >>> >>> Bosco >>> >>> >>> From: Aneela Saleem <[email protected]> >>> Reply-To: <[email protected]> >>> Date: Thursday, October 1, 2015 at 11:55 PM >>> >>> To: <[email protected]> >>> Subject: Re: Issues with usersync (LDAPS certificate not validated) >>> >>> I also checked it on another machine. Same issue is there >>> >>> On Thu, Oct 1, 2015 at 10:03 PM, Aneela Saleem <[email protected]> >>> wrote: >>> >>>> I guess no JDK changes. And i re-checked certificate infact generated a >>>> new one. Still same issue. >>>> >>>> On Thu, Oct 1, 2015 at 6:16 PM, Dilli Dorai <[email protected]> >>>> wrote: >>>> >>>>> Aneela, >>>>> Please check whether the certificate has expired. >>>>> Dilli >>>>> >>>>> On Wed, Sep 30, 2015 at 4:28 PM, Don Bosco Durai <[email protected]> >>>>> wrote: >>>>> >>>>>> Any other changes you can think of? JDK changes, etcs? >>>>>> >>>>>> Thanks >>>>>> >>>>>> Bosco >>>>>> >>>>>> >>>>>> From: Aneela Saleem <[email protected]> >>>>>> Reply-To: <[email protected]> >>>>>> Date: Wednesday, September 30, 2015 at 9:37 PM >>>>>> To: <[email protected]> >>>>>> Subject: Re: Issues with usersync (LDAPS certificate not validated) >>>>>> >>>>>> It was working fine one month ago. But now the same issue is occurred. >>>>>> >>>>>> On Wed, Sep 30, 2015 at 2:55 PM, Aneela Saleem < >>>>>> [email protected]> wrote: >>>>>> >>>>>>> Hi all, >>>>>>> >>>>>>> I followed all the following steps i.e., >>>>>>> >>>>>>> cp /etc/alternatives/java_sdk_1.7.0/jre/lib/security/cacerts >>>>>>> /usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts >>>>>>> >>>>>>> keytool -import -trustcacerts -alias openLdap -file cert.pem >>>>>>> -keystore /usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts >>>>>>> (where cert.pem has the the LDAPS cert) >>>>>>> >>>>>>> Add java option >>>>>>> -Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036 >>>>>>> /ranger-usersync/userSyncCAcerts >>>>>>> To >>>>>>> /usr/hdp/2.2.0.0-2036/ranger-usersync/ranger-usersync-services.sh >>>>>>> >>>>>>> Where it invokes java command like the following >>>>>>> >>>>>>> nohup java >>>>>>> -Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts >>>>>>> . . . >>>>>>> >>>>>>> >>>>>>> But i'm unable to sync LDAP contacts in Ranger due to certificates >>>>>>> validation issues. Following are the logs >>>>>>> >>>>>>> 30 Sep 2015 14:48:56 INFO UnixAuthenticationService [main] - >>>>>>> Starting User Sync Service! >>>>>>> 30 Sep 2015 14:48:56 INFO UnixAuthenticationService [main] - >>>>>>> Enabling Unix Auth Service! >>>>>>> 30 Sep 2015 14:48:56 INFO UserGroupSync [UnixUserSyncThread] - >>>>>>> initializing sink: >>>>>>> org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder >>>>>>> 30 Sep 2015 14:48:57 WARN NativeCodeLoader [main] - Unable to load >>>>>>> native-hadoop library for your platform... using builtin-java classes >>>>>>> where >>>>>>> applicable >>>>>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - >>>>>>> Enabling Protocol: [SSLv2Hello] >>>>>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - >>>>>>> Enabling Protocol: [TLSv1] >>>>>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - >>>>>>> Enabling Protocol: [TLSv1.1] >>>>>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - >>>>>>> Enabling Protocol: [TLSv1.2] >>>>>>> 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder [UnixUserSyncThread] >>>>>>> - LdapUserGroupBuilder created >>>>>>> 30 Sep 2015 14:48:58 INFO UserGroupSync [UnixUserSyncThread] - >>>>>>> initializing source: >>>>>>> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder >>>>>>> 30 Sep 2015 14:48:58 INFO UserGroupSync [UnixUserSyncThread] - >>>>>>> Begin: initial load of user/group from source==>sink >>>>>>> 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder [UnixUserSyncThread] >>>>>>> - LDAPUserGroupBuilder updateSink started >>>>>>> 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder [UnixUserSyncThread] >>>>>>> - LdapUserGroupBuilder initialization started >>>>>>> 30 Sep 2015 14:48:58 ERROR UserGroupSync [UnixUserSyncThread] - >>>>>>> Failed to initialize UserGroup source/sink. Will retry after 21600000 >>>>>>> milliseconds. Error details: >>>>>>> javax.naming.CommunicationException: simple bind failed: >>>>>>> platalytics.com:636 [Root exception is >>>>>>> javax.net.ssl.SSLHandshakeException: >>>>>>> sun.security.validator.ValidatorException: PKIX path building failed: >>>>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to >>>>>>> find >>>>>>> valid certification path to requested target] >>>>>>> at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:218) >>>>>>> at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2740) >>>>>>> at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316) >>>>>>> at >>>>>>> com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193) >>>>>>> at >>>>>>> com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211) >>>>>>> at >>>>>>> com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154) >>>>>>> at >>>>>>> com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84) >>>>>>> at >>>>>>> javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) >>>>>>> at >>>>>>> javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307) >>>>>>> at javax.naming.InitialContext.init(InitialContext.java:242) >>>>>>> at >>>>>>> javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:153) >>>>>>> at >>>>>>> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.createLdapContext(LdapUserGroupBuilder.java:149) >>>>>>> at >>>>>>> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.updateSink(LdapUserGroupBuilder.java:261) >>>>>>> at >>>>>>> org.apache.ranger.usergroupsync.UserGroupSync.run(UserGroupSync.java:58) >>>>>>> at java.lang.Thread.run(Thread.java:745) >>>>>>> Caused by: javax.net.ssl.SSLHandshakeException: >>>>>>> sun.security.validator.ValidatorException: PKIX path building failed: >>>>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to >>>>>>> find >>>>>>> valid certification path to requested target >>>>>>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) >>>>>>> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1904) >>>>>>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:279) >>>>>>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:273) >>>>>>> at >>>>>>> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1446) >>>>>>> at >>>>>>> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:209) >>>>>>> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:913) >>>>>>> at sun.security.ssl.Handshaker.process_record(Handshaker.java:849) >>>>>>> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1023) >>>>>>> at >>>>>>> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1332) >>>>>>> at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:709) >>>>>>> at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:122) >>>>>>> at >>>>>>> java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82) >>>>>>> at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140) >>>>>>> at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:431) >>>>>>> at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:404) >>>>>>> at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:358) >>>>>>> at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:213) >>>>>>> ... 14 more >>>>>>> Caused by: sun.security.validator.ValidatorException: PKIX path >>>>>>> building failed: >>>>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to >>>>>>> find >>>>>>> valid certification path to requested target >>>>>>> at >>>>>>> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385) >>>>>>> at >>>>>>> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) >>>>>>> at sun.security.validator.Validator.validate(Validator.java:260) >>>>>>> at >>>>>>> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326) >>>>>>> at >>>>>>> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231) >>>>>>> at >>>>>>> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126) >>>>>>> at >>>>>>> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1428) >>>>>>> ... 27 more >>>>>>> Caused by: >>>>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to >>>>>>> find >>>>>>> valid certification path to requested target >>>>>>> at >>>>>>> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196) >>>>>>> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268) >>>>>>> at >>>>>>> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380) >>>>>>> ... 33 more >>>>>>> >>>>>>> And following is the output of nohup command: >>>>>>> >>>>>>> Host key verification failed. >>>>>>> >>>>>>> Can someone please help me figure out the issue? >>>>>>> >>>>>> >>>>>> >>>>> >>>> >>> >> >
