Ambari-Synchronisierung mit LDAP unter Verwendung von StartTLS

Ambari-Synchronisierung mit LDAP unter Verwendung von StartTLS

Ich habe ein Problem damit, Ambari mit einem LDAP-Server zu synchronisieren, der StartTLS und ein selbstsigniertes Zertifikat verwendet. Ambari-Server und LDAP-Server laufen beide auf derselben Maschine. Ich habe die Schritte befolgt, die inder Arztaber ich bin nicht sicher, ob es sich bei mir um eine LDAPS-Konfiguration handelt oder nicht.

Wenn ich der SSL-Konfiguration folge und das selbstsignierte Zertifikat in /etc/ambari-server/keys/ldaps-keystore.jks importiere, erhalte ich den folgenden Fehler vom Ambari-Server, wenn ich ambari-server sync-ldap --all ausführe.

AmbariLdapDataPopulator:736 - Reloading properties ldapSyncEventResourceProvider:460 - Caught exception running LDAP sync. 
org.springframework.ldap.CommunicationException: simple bind failed:    
host.example.net:389; nested exception is javax.naming.CommunicationException: simple bind failed: host.example.net:389 
[Root exception is javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake]
    at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:108)
    at org.springframework.ldap.core.support.AbstractContextSource.createContext(AbstractContextSource.java:356)
    at org.springframework.ldap.core.support.AbstractContextSource.doGetContext(AbstractContextSource.java:140)
    at org.springframework.ldap.core.support.AbstractContextSource.getReadOnlyContext(AbstractContextSource.java:159)
    at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:357)
    at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:309)
    at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:642)
    at org.apache.ambari.server.security.ldap.AmbariLdapDataPopulator.getFilteredLdapUsers(AmbariLdapDataPopulator.java:667)
    at org.apache.ambari.server.security.ldap.AmbariLdapDataPopulator.getExternalLdapUserInfo(AmbariLdapDataPopulator.java:644)
    at org.apache.ambari.server.security.ldap.AmbariLdapDataPopulator.synchronizeAllLdapUsers(AmbariLdapDataPopulator.java:212)
    at org.apache.ambari.server.controller.AmbariManagementControllerImpl.synchronizeLdapUsersAndGroups(AmbariManagementControllerImpl.java:5177)
    at org.apache.ambari.server.controller.internal.LdapSyncEventResourceProvider.syncLdap(LdapSyncEventResourceProvider.java:490)
    at org.apache.ambari.server.controller.internal.LdapSyncEventResourceProvider.processSyncEvents(LdapSyncEventResourceProvider.java:448)
    at org.apache.ambari.server.controller.internal.LdapSyncEventResourceProvider.access$000(LdapSyncEventResourceProvider.java:65)
    at org.apache.ambari.server.controller.internal.LdapSyncEventResourceProvider$1.run(LdapSyncEventResourceProvider.java:259)
    at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
    at java.util.concurrent.FutureTask.run(FutureTask.java:266)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
    at java.lang.Thread.run(Thread.java:745)
Caused by: javax.naming.CommunicationException: simple bind failed: host.example.net:389 [Root exception is javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake]
    at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219)
    at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2788)
    at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)
    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
    at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)
    at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)
    at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
    at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)
    at javax.naming.InitialContext.init(InitialContext.java:244)
    at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
    at org.springframework.ldap.core.support.LdapContextSource.getDirContextInstance(LdapContextSource.java:42)
    at org.springframework.ldap.core.support.AbstractContextSource.createContext(AbstractContextSource.java:344)
    ... 18 more
Caused by: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:992)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
    at sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:928)
    at sun.security.ssl.AppInputStream.read(AppInputStream.java:105)
    at java.io.BufferedInputStream.fill(BufferedInputStream.java:246)
    at java.io.BufferedInputStream.read1(BufferedInputStream.java:286)
    at java.io.BufferedInputStream.read(BufferedInputStream.java:345)
    at com.sun.jndi.ldap.Connection.run(Connection.java:860)
    ... 1 more
Caused by: java.io.EOFException: SSL peer shut down incorrectly
    at sun.security.ssl.InputRecord.read(InputRecord.java:505)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973)
    ... 8 more

Während der LDAP-Server mir gibt: err=13 nentries=0 text=TLS-Vertraulichkeit erforderlich

slapd debug  conn=16624 fd=13 ACCEPT from IP=datanode3:51578 (IP=0.0.0.0:389)
slapd debug  conn=16624 op=0 BIND dn="" method=128
slapd debug  conn=16624 op=0 RESULT tag=97 err=0 text=
slapd debug  conn=16624 op=1 SRCH base="dc=example,dc=net" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uidNumber=-1))"
slapd debug  conn=16624 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass
slapd debug  conn=16624 op=1 SEARCH RESULT tag=101 err=13 nentries=0 text=TLS confidentiality required
slapd debug  conn=16624 op=2 UNBIND
slapd debug  conn=16624 fd=13 closed
slapd debug  conn=16625 fd=13 ACCEPT from IP=datanode3:51580 (IP=0.0.0.0:389)
slapd debug  conn=16625 op=0 BIND dn="" method=128
slapd debug  conn=16625 op=0 RESULT tag=97 err=0 text=
slapd debug  conn=16625 op=1 SRCH base="dc=example,dc=net" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uidNumber=-1))"
slapd debug  conn=16625 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass
slapd debug  conn=16625 op=1 SEARCH RESULT tag=101 err=13 nentries=0 text=TLS confidentiality required
slapd debug  conn=16625 op=2 UNBIND
slapd debug  conn=16625 fd=13 closed
slapd debug  conn=16626 fd=13 ACCEPT from IP=datanode3:51584 (IP=0.0.0.0:389)
slapd debug  conn=16626 op=0 BIND dn="" method=128
slapd debug  conn=16626 op=0 RESULT tag=97 err=0 text=
slapd debug  conn=16626 op=1 SRCH base="dc=example,dc=net" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uidNumber=-1))"
slapd debug  conn=16626 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass
slapd debug  conn=16626 op=1 SEARCH RESULT tag=101 err=13 nentries=0 text=TLS confidentiality required
slapd debug  conn=16626 op=2 UNBIND
slapd debug  conn=16626 fd=13 closed
slapd debug  conn=2419 op=4783 SRCH base="dc=example,dc=net" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=ambari-qa))"
slapd debug  conn=2419 op=4783 SRCH attr=uid uidNumber
slapd debug  conn=2419 op=4783 SEARCH RESULT tag=101 err=13 nentries=0 text=TLS confidentiality required
slapd debug  conn=2419 op=4784 ABANDON msg=4784
slapd debug  conn=2685 op=4529 SRCH base="dc=example,dc=net" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=ambari-qa))"
slapd debug  conn=2685 op=4529 SRCH attr=uid uidNumber
slapd debug  conn=2685 op=4529 SEARCH RESULT tag=101 err=13 nentries=0 text=TLS confidentiality required
slapd debug  conn=2685 op=4530 ABANDON msg=4530
slapd debug  conn=2685 op=4531 SRCH base="dc=example,dc=net" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=ambari-qa))"
slapd debug  conn=2685 op=4531 SRCH attr=uid uidNumber
slapd debug  conn=2685 op=4531 SEARCH RESULT tag=101 err=13 nentries=0 text=TLS confidentiality required
slapd debug  conn=2685 op=4532 ABANDON msg=4532
slapd debug  conn=2671 op=4367 SRCH base="dc=example,dc=net" scope=2 deref=0 filter="(&(objectClass=posixAccount)    (uid=ambari-qa))"
slapd debug  conn=2671 op=4367 SRCH attr=uid uidNumber
slapd debug  conn=2671 op=4367 SEARCH RESULT tag=101 err=13 nentries=0 text=TLS confidentiality required
slapd debug  conn=2419 op=4785 SRCH base="dc=example,dc=net" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=ambari-qa))"
slapd debug  conn=2419 op=4785 SRCH attr=uid uidNumber
slapd debug  conn=2419 op=4785 SEARCH RESULT tag=101 err=13 nentries=0 text=TLS confidentiality required
slapd debug  conn=2671 op=4368 ABANDON msg=4368
slapd debug  conn=2419 op=4786 ABANDON msg=4786
slapd debug  conn=2671 op=4369 SRCH base="dc=example,dc=net" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=ambari-qa))"
slapd debug  conn=2671 op=4369 SRCH attr=uid uidNumber
slapd debug  conn=2671 op=4369 SEARCH RESULT tag=101 err=13 nentries=0 text=TLS confidentiality required
slapd debug  conn=2671 op=4370 ABANDON msg=4370
slapd debug  conn=16627 fd=13 ACCEPT from IP=masternode:40376 (IP=0.0.0.0:389)
slapd debug  conn=16627 fd=13 closed (connection lost)

Wenn ich ambari-server sync-ldap --existing mache, bekomme ich

Completed LDAP Sync.
Summary:
  memberships:
    removed = 0
    created = 0
  users:
    skipped = 0
    removed = 0
    updated = 0
    created = 0
  groups:
    updated = 0
    removed = 0
    created = 0
Ambari Server 'sync-ldap' completed successfully.

Aber der LDAP-Server gibt immer noch den gleichen Fehler aus: err=13 nentries=0 text=TLS-Vertraulichkeit erforderlich

slapd debug  conn=16682 fd=13 ACCEPT from IP=datanode2:42940 (IP=0.0.0.0:389)
slapd debug  conn=16682 op=0 BIND dn="" method=128
slapd debug  conn=16682 op=0 RESULT tag=97 err=0 text=
slapd debug  conn=16682 op=1 SRCH base="dc=example,dc=net" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uidNumber=-1))"
slapd debug  conn=16682 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass
slapd debug  conn=16682 op=1 SEARCH RESULT tag=101 err=13 nentries=0 text=TLS confidentiality required
slapd debug  conn=16682 op=2 UNBIND
slapd debug  conn=16682 fd=13 closed

Die Datei /etc/ambari-server/conf/ambari.properties kann lauten:

authentication.ldap.baseDn=dc=example,dc=net
authentication.ldap.bindAnonymously=false
authentication.ldap.dnAttribute=dn
authentication.ldap.groupMembershipAttr=gidNumber
authentication.ldap.groupNamingAttr=cn
authentication.ldap.groupObjectClass=posixGroup
authentication.ldap.managerDn=cn=admin,dc=example,dc=net
authentication.ldap.managerPassword=/etc/ambari-server/conf/ldap-password.dat
authentication.ldap.primaryUrl=host.example.net:389
authentication.ldap.referral=ignore
authentication.ldap.useSSL=true
authentication.ldap.userObjectClass=inetOrgPerson
authentication.ldap.usernameAttribute=uid
ldap.sync.username.collision.behavior=convert
ssl.trustStore.password=******
ssl.trustStore.path=/etc/ambari-server/keys/ldaps-keystore.jks
ssl.trustStore.type=jks

Wenn ich das selbstsignierte Zertifikat überspringe, erhalte ich diesen Fehler, wenn ich ambari-server sync-ldap --all ausführe:

ERROR [pool-18-thread-6] LdapSyncEventResourceProvider:460 - Caught exception running LDAP sync. 
org.springframework.ldap.AuthenticationNotSupportedException: [LDAP: error code 13 - TLS confidentiality required]; nested exception is javax.naming.AuthenticationNotSupportedException: [LDAP: error code 13 - TLS confidentiality required]
    at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:194)
    at org.springframework.ldap.core.support.AbstractContextSource.createContext(AbstractContextSource.java:356)
    at org.springframework.ldap.core.support.AbstractContextSource.doGetContext(AbstractContextSource.java:140)
    at org.springframework.ldap.core.support.AbstractContextSource.getReadOnlyContext(AbstractContextSource.java:159)
    at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:357)
    at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:309)
    at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:642)
    at org.apache.ambari.server.security.ldap.AmbariLdapDataPopulator.getFilteredLdapUsers(AmbariLdapDataPopulator.java:667)
    at org.apache.ambari.server.security.ldap.AmbariLdapDataPopulator.getExternalLdapUserInfo(AmbariLdapDataPopulator.java:644)
    at org.apache.ambari.server.security.ldap.AmbariLdapDataPopulator.synchronizeAllLdapUsers(AmbariLdapDataPopulator.java:212)
    at org.apache.ambari.server.controller.AmbariManagementControllerImpl.synchronizeLdapUsersAndGroups(AmbariManagementControllerImpl.java:5177)
    at org.apache.ambari.server.controller.internal.LdapSyncEventResourceProvider.syncLdap(LdapSyncEventResourceProvider.java:490)
    at org.apache.ambari.server.controller.internal.LdapSyncEventResourceProvider.processSyncEvents(LdapSyncEventResourceProvider.java:448)
    at org.apache.ambari.server.controller.internal.LdapSyncEventResourceProvider.access$000(LdapSyncEventResourceProvider.java:65)
    at org.apache.ambari.server.controller.internal.LdapSyncEventResourceProvider$1.run(LdapSyncEventResourceProvider.java:259)
    at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
    at java.util.concurrent.FutureTask.run(FutureTask.java:266)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
    at java.lang.Thread.run(Thread.java:745)
Caused by: javax.naming.AuthenticationNotSupportedException: [LDAP: error code 13 - TLS confidentiality required]
    at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3127)
    at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3082)
    at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2883)
    at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2797)
    at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)
    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
    at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)
    at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)
    at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
    at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)
    at javax.naming.InitialContext.init(InitialContext.java:244)
    at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
    at org.springframework.ldap.core.support.LdapContextSource.getDirContextInstance(LdapContextSource.java:42)
    at org.springframework.ldap.core.support.AbstractContextSource.createContext(AbstractContextSource.java:344)
    ... 18 more

(ambari-server sync-ldap --existing liefert dasselbe Ergebnis wie im anderen Fall).

Der LDAP-Server gibt den gleichen Fehler aus: err=13 nentries=0 text=TLS-Vertraulichkeit erforderlich

slapd debug  conn=16772 fd=13 ACCEPT from IP=masternode:41760 (IP=0.0.0.0:389)
slapd debug  conn=16772 op=0 BIND dn="cn=admin,dc=example,dc=net" method=128
slapd debug  conn=16772 op=0 RESULT tag=97 err=13 text=TLS confidentiality required
slapd debug  conn=16772 fd=13 closed (connection lost)
slapd debug  conn=16773 fd=13 ACCEPT from IP=datanode1:35558 (IP=0.0.0.0:389)
slapd debug  conn=16773 op=0 BIND dn="" method=128
slapd debug  conn=16773 op=0 RESULT tag=97 err=0 text=
slapd debug  conn=16773 op=1 SRCH base="dc=example,dc=net" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=root))"
slapd debug  conn=16773 op=1 SEARCH RESULT tag=101 err=13 nentries=0 text=TLS confidentiality required
slapd debug  conn=16773 op=2 UNBIND
slapd debug  conn=16773 fd=13 closed

ich folgtedieser Leitfadenum den LDAP-Server zu installieren und ihn von allen Knoten aus nutzen zu können. Soweit ich weiß, erfordert eine StartTLS-Verbindung die Option -Z in den Abfragen.

Beispielsweise die Abfrage:

ldapsearch -H ldap:// -x -b "dc=example,dc=net" -LLL dn

wird ergeben

Confidentiality required (13)
Additional information: TLS confidentiality required

Während

ldapsearch -H ldap:// -x -b "dc=example,dc=com" -LLL -Z dn

Wird gut funktionieren.

Leider habe ich nur sehr begrenzte Kenntnisse, wenn es um LDAP geht. Wenn ich das Problem richtig verstehe, vermute ich, dass Ambari bei der Abfrage des LDAP die Option -Z fehlt. Gibt es eine Möglichkeit, Ambari anzuweisen, diese bei der Synchronisierung hinzuzufügen?

Antwort1

Ich habe herausgefunden, dass mein Problem darauf zurückzuführen ist, dass ich LDAP so konfiguriert hatte, dass die Verbindung über TLS erzwungen wird:

dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcSecurity
olcSecurity: tls=1

Ich habe olcSecurity: tls=1auf 0 umgestellt

Die Synchronisierung funktioniert jetzt einwandfrei, aber ich vermute, dass die Verbindung zwischen dem Ambari-Server und dem LDAP nicht mehr verschlüsselt ist. Mir ist auch aufgefallen, dass der Befehl getent passwdjetzt die LDAP-Benutzer richtig anzeigt, während sie vorher fehlten.

verwandte Informationen