Ambari sync with LDAP using StartTLS

Question

I'm facing an issue to sync Ambari with a LDAP server using StartTLS and a self-signed certificate. Ambari server and ldap server are both running on the same machine. I've followed the steps written in the doc but I'm not sure if I'm in the LDAPS configuration case or not.

If I follow the SSL configuration case and import the self-signed certificate into /etc/ambari-server/keys/ldaps-keystore.jks then I get the error bellow from the ambari server when I do ambari-server sync-ldap --all

AmbariLdapDataPopulator:736 - Reloading properties ldapSyncEventResourceProvider:460 - Caught exception running LDAP sync. 
org.springframework.ldap.CommunicationException: simple bind failed:    
host.example.net:389; nested exception is javax.naming.CommunicationException: simple bind failed: host.example.net:389 
[Root exception is javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake]
    at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:108)
    at org.springframework.ldap.core.support.AbstractContextSource.createContext(AbstractContextSource.java:356)
    at org.springframework.ldap.core.support.AbstractContextSource.doGetContext(AbstractContextSource.java:140)
    at org.springframework.ldap.core.support.AbstractContextSource.getReadOnlyContext(AbstractContextSource.java:159)
    at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:357)
    at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:309)
    at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:642)
    at org.apache.ambari.server.security.ldap.AmbariLdapDataPopulator.getFilteredLdapUsers(AmbariLdapDataPopulator.java:667)
    at org.apache.ambari.server.security.ldap.AmbariLdapDataPopulator.getExternalLdapUserInfo(AmbariLdapDataPopulator.java:644)
    at org.apache.ambari.server.security.ldap.AmbariLdapDataPopulator.synchronizeAllLdapUsers(AmbariLdapDataPopulator.java:212)
    at org.apache.ambari.server.controller.AmbariManagementControllerImpl.synchronizeLdapUsersAndGroups(AmbariManagementControllerImpl.java:5177)
    at org.apache.ambari.server.controller.internal.LdapSyncEventResourceProvider.syncLdap(LdapSyncEventResourceProvider.java:490)
    at org.apache.ambari.server.controller.internal.LdapSyncEventResourceProvider.processSyncEvents(LdapSyncEventResourceProvider.java:448)
    at org.apache.ambari.server.controller.internal.LdapSyncEventResourceProvider.access$000(LdapSyncEventResourceProvider.java:65)
    at org.apache.ambari.server.controller.internal.LdapSyncEventResourceProvider$1.run(LdapSyncEventResourceProvider.java:259)
    at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
    at java.util.concurrent.FutureTask.run(FutureTask.java:266)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
    at java.lang.Thread.run(Thread.java:745)
Caused by: javax.naming.CommunicationException: simple bind failed: host.example.net:389 [Root exception is javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake]
    at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219)
    at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2788)
    at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)
    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
    at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)
    at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)
    at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
    at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)
    at javax.naming.InitialContext.init(InitialContext.java:244)
    at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
    at org.springframework.ldap.core.support.LdapContextSource.getDirContextInstance(LdapContextSource.java:42)
    at org.springframework.ldap.core.support.AbstractContextSource.createContext(AbstractContextSource.java:344)
    ... 18 more
Caused by: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:992)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
    at sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:928)
    at sun.security.ssl.AppInputStream.read(AppInputStream.java:105)
    at java.io.BufferedInputStream.fill(BufferedInputStream.java:246)
    at java.io.BufferedInputStream.read1(BufferedInputStream.java:286)
    at java.io.BufferedInputStream.read(BufferedInputStream.java:345)
    at com.sun.jndi.ldap.Connection.run(Connection.java:860)
    ... 1 more
Caused by: java.io.EOFException: SSL peer shut down incorrectly
    at sun.security.ssl.InputRecord.read(InputRecord.java:505)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973)
    ... 8 more

While the ldap server gives me: err=13 nentries=0 text=TLS confidentiality required

slapd debug  conn=16624 fd=13 ACCEPT from IP=datanode3:51578 (IP=0.0.0.0:389)
slapd debug  conn=16624 op=0 BIND dn="" method=128
slapd debug  conn=16624 op=0 RESULT tag=97 err=0 text=
slapd debug  conn=16624 op=1 SRCH base="dc=example,dc=net" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uidNumber=-1))"
slapd debug  conn=16624 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass
slapd debug  conn=16624 op=1 SEARCH RESULT tag=101 err=13 nentries=0 text=TLS confidentiality required
slapd debug  conn=16624 op=2 UNBIND
slapd debug  conn=16624 fd=13 closed
slapd debug  conn=16625 fd=13 ACCEPT from IP=datanode3:51580 (IP=0.0.0.0:389)
slapd debug  conn=16625 op=0 BIND dn="" method=128
slapd debug  conn=16625 op=0 RESULT tag=97 err=0 text=
slapd debug  conn=16625 op=1 SRCH base="dc=example,dc=net" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uidNumber=-1))"
slapd debug  conn=16625 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass
slapd debug  conn=16625 op=1 SEARCH RESULT tag=101 err=13 nentries=0 text=TLS confidentiality required
slapd debug  conn=16625 op=2 UNBIND
slapd debug  conn=16625 fd=13 closed
slapd debug  conn=16626 fd=13 ACCEPT from IP=datanode3:51584 (IP=0.0.0.0:389)
slapd debug  conn=16626 op=0 BIND dn="" method=128
slapd debug  conn=16626 op=0 RESULT tag=97 err=0 text=
slapd debug  conn=16626 op=1 SRCH base="dc=example,dc=net" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uidNumber=-1))"
slapd debug  conn=16626 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass
slapd debug  conn=16626 op=1 SEARCH RESULT tag=101 err=13 nentries=0 text=TLS confidentiality required
slapd debug  conn=16626 op=2 UNBIND
slapd debug  conn=16626 fd=13 closed
slapd debug  conn=2419 op=4783 SRCH base="dc=example,dc=net" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=ambari-qa))"
slapd debug  conn=2419 op=4783 SRCH attr=uid uidNumber
slapd debug  conn=2419 op=4783 SEARCH RESULT tag=101 err=13 nentries=0 text=TLS confidentiality required
slapd debug  conn=2419 op=4784 ABANDON msg=4784
slapd debug  conn=2685 op=4529 SRCH base="dc=example,dc=net" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=ambari-qa))"
slapd debug  conn=2685 op=4529 SRCH attr=uid uidNumber
slapd debug  conn=2685 op=4529 SEARCH RESULT tag=101 err=13 nentries=0 text=TLS confidentiality required
slapd debug  conn=2685 op=4530 ABANDON msg=4530
slapd debug  conn=2685 op=4531 SRCH base="dc=example,dc=net" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=ambari-qa))"
slapd debug  conn=2685 op=4531 SRCH attr=uid uidNumber
slapd debug  conn=2685 op=4531 SEARCH RESULT tag=101 err=13 nentries=0 text=TLS confidentiality required
slapd debug  conn=2685 op=4532 ABANDON msg=4532
slapd debug  conn=2671 op=4367 SRCH base="dc=example,dc=net" scope=2 deref=0 filter="(&(objectClass=posixAccount)    (uid=ambari-qa))"
slapd debug  conn=2671 op=4367 SRCH attr=uid uidNumber
slapd debug  conn=2671 op=4367 SEARCH RESULT tag=101 err=13 nentries=0 text=TLS confidentiality required
slapd debug  conn=2419 op=4785 SRCH base="dc=example,dc=net" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=ambari-qa))"
slapd debug  conn=2419 op=4785 SRCH attr=uid uidNumber
slapd debug  conn=2419 op=4785 SEARCH RESULT tag=101 err=13 nentries=0 text=TLS confidentiality required
slapd debug  conn=2671 op=4368 ABANDON msg=4368
slapd debug  conn=2419 op=4786 ABANDON msg=4786
slapd debug  conn=2671 op=4369 SRCH base="dc=example,dc=net" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=ambari-qa))"
slapd debug  conn=2671 op=4369 SRCH attr=uid uidNumber
slapd debug  conn=2671 op=4369 SEARCH RESULT tag=101 err=13 nentries=0 text=TLS confidentiality required
slapd debug  conn=2671 op=4370 ABANDON msg=4370
slapd debug  conn=16627 fd=13 ACCEPT from IP=masternode:40376 (IP=0.0.0.0:389)
slapd debug  conn=16627 fd=13 closed (connection lost)

If I do ambari-server sync-ldap --existing I get

Completed LDAP Sync.
Summary:
  memberships:
    removed = 0
    created = 0
  users:
    skipped = 0
    removed = 0
    updated = 0
    created = 0
  groups:
    updated = 0
    removed = 0
    created = 0
Ambari Server 'sync-ldap' completed successfully.

But the ldap server still gives the same error: err=13 nentries=0 text=TLS confidentiality required

slapd debug  conn=16682 fd=13 ACCEPT from IP=datanode2:42940 (IP=0.0.0.0:389)
slapd debug  conn=16682 op=0 BIND dn="" method=128
slapd debug  conn=16682 op=0 RESULT tag=97 err=0 text=
slapd debug  conn=16682 op=1 SRCH base="dc=example,dc=net" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uidNumber=-1))"
slapd debug  conn=16682 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass
slapd debug  conn=16682 op=1 SEARCH RESULT tag=101 err=13 nentries=0 text=TLS confidentiality required
slapd debug  conn=16682 op=2 UNBIND
slapd debug  conn=16682 fd=13 closed

The file /etc/ambari-server/conf/ambari.properties can read:

authentication.ldap.baseDn=dc=example,dc=net
authentication.ldap.bindAnonymously=false
authentication.ldap.dnAttribute=dn
authentication.ldap.groupMembershipAttr=gidNumber
authentication.ldap.groupNamingAttr=cn
authentication.ldap.groupObjectClass=posixGroup
authentication.ldap.managerDn=cn=admin,dc=example,dc=net
authentication.ldap.managerPassword=/etc/ambari-server/conf/ldap-password.dat
authentication.ldap.primaryUrl=host.example.net:389
authentication.ldap.referral=ignore
authentication.ldap.useSSL=true
authentication.ldap.userObjectClass=inetOrgPerson
authentication.ldap.usernameAttribute=uid
ldap.sync.username.collision.behavior=convert
ssl.trustStore.password=******
ssl.trustStore.path=/etc/ambari-server/keys/ldaps-keystore.jks
ssl.trustStore.type=jks

If I skip the self-signed certificate I then get this error when I do ambari-server sync-ldap --all:

ERROR [pool-18-thread-6] LdapSyncEventResourceProvider:460 - Caught exception running LDAP sync. 
org.springframework.ldap.AuthenticationNotSupportedException: [LDAP: error code 13 - TLS confidentiality required]; nested exception is javax.naming.AuthenticationNotSupportedException: [LDAP: error code 13 - TLS confidentiality required]
    at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:194)
    at org.springframework.ldap.core.support.AbstractContextSource.createContext(AbstractContextSource.java:356)
    at org.springframework.ldap.core.support.AbstractContextSource.doGetContext(AbstractContextSource.java:140)
    at org.springframework.ldap.core.support.AbstractContextSource.getReadOnlyContext(AbstractContextSource.java:159)
    at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:357)
    at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:309)
    at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:642)
    at org.apache.ambari.server.security.ldap.AmbariLdapDataPopulator.getFilteredLdapUsers(AmbariLdapDataPopulator.java:667)
    at org.apache.ambari.server.security.ldap.AmbariLdapDataPopulator.getExternalLdapUserInfo(AmbariLdapDataPopulator.java:644)
    at org.apache.ambari.server.security.ldap.AmbariLdapDataPopulator.synchronizeAllLdapUsers(AmbariLdapDataPopulator.java:212)
    at org.apache.ambari.server.controller.AmbariManagementControllerImpl.synchronizeLdapUsersAndGroups(AmbariManagementControllerImpl.java:5177)
    at org.apache.ambari.server.controller.internal.LdapSyncEventResourceProvider.syncLdap(LdapSyncEventResourceProvider.java:490)
    at org.apache.ambari.server.controller.internal.LdapSyncEventResourceProvider.processSyncEvents(LdapSyncEventResourceProvider.java:448)
    at org.apache.ambari.server.controller.internal.LdapSyncEventResourceProvider.access$000(LdapSyncEventResourceProvider.java:65)
    at org.apache.ambari.server.controller.internal.LdapSyncEventResourceProvider$1.run(LdapSyncEventResourceProvider.java:259)
    at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
    at java.util.concurrent.FutureTask.run(FutureTask.java:266)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
    at java.lang.Thread.run(Thread.java:745)
Caused by: javax.naming.AuthenticationNotSupportedException: [LDAP: error code 13 - TLS confidentiality required]
    at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3127)
    at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3082)
    at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2883)
    at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2797)
    at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)
    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
    at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)
    at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)
    at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
    at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)
    at javax.naming.InitialContext.init(InitialContext.java:244)
    at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
    at org.springframework.ldap.core.support.LdapContextSource.getDirContextInstance(LdapContextSource.java:42)
    at org.springframework.ldap.core.support.AbstractContextSource.createContext(AbstractContextSource.java:344)
    ... 18 more

(ambari-server sync-ldap --existing yield the same result as in the other case).

The ldap server gives the same error: err=13 nentries=0 text=TLS confidentiality required

slapd debug  conn=16772 fd=13 ACCEPT from IP=masternode:41760 (IP=0.0.0.0:389)
slapd debug  conn=16772 op=0 BIND dn="cn=admin,dc=example,dc=net" method=128
slapd debug  conn=16772 op=0 RESULT tag=97 err=13 text=TLS confidentiality required
slapd debug  conn=16772 fd=13 closed (connection lost)
slapd debug  conn=16773 fd=13 ACCEPT from IP=datanode1:35558 (IP=0.0.0.0:389)
slapd debug  conn=16773 op=0 BIND dn="" method=128
slapd debug  conn=16773 op=0 RESULT tag=97 err=0 text=
slapd debug  conn=16773 op=1 SRCH base="dc=example,dc=net" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=root))"
slapd debug  conn=16773 op=1 SEARCH RESULT tag=101 err=13 nentries=0 text=TLS confidentiality required
slapd debug  conn=16773 op=2 UNBIND
slapd debug  conn=16773 fd=13 closed

I followed this guide to install the LDAP server and can use it from all the nodes. From what I understand a StartTLS connection requires the -Z option in the queries.

For example the query:

ldapsearch -H ldap:// -x -b "dc=example,dc=net" -LLL dn

will yield

Confidentiality required (13)
Additional information: TLS confidentiality required

While

ldapsearch -H ldap:// -x -b "dc=example,dc=com" -LLL -Z dn

Will work fine.

Unfortunately I have a very limited knowledge when it comes to LDAP. If I understand the problem I guess that Ambari is missing the -Z option when querying the LDAP. Is there a way to tell Ambari to add it when syncing with it ?

score 0 · Answer 1 · answered Sep 04 '18 at 14:38

I found out that my issue come from that I had configured the LDAP to forces connection to use TLS:

dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcSecurity
olcSecurity: tls=1

I switched olcSecurity: tls=1 to 0

The synchronization works fine now but I guess the connection between ambari-server and the LDAP is not encrypted anymore. I also noticed that the command getent passwd is now properly displaying the LDAP users while they were missing previously.

Ambari sync with LDAP using StartTLS

1 Answers1