StartTLS 및 자체 서명 인증서를 사용하여 Ambari를 LDAP 서버와 동기화하는 데 문제가 있습니다. Ambari 서버와 LDAP 서버는 모두 동일한 시스템에서 실행됩니다. 나는 다음에 쓰여진 단계를 따랐습니다.문서하지만 내가 LDAPS 구성 사례에 있는지 여부는 확실하지 않습니다.
SSL 구성 사례에 따라 자체 서명된 인증서를 /etc/ambari-server/keys/ldaps-keystore.jks로 가져오면 ambari-server sync-ldap을 수행할 때 ambari 서버에서 다음 오류가 발생합니다. 모두
AmbariLdapDataPopulator:736 - Reloading properties ldapSyncEventResourceProvider:460 - Caught exception running LDAP sync.
org.springframework.ldap.CommunicationException: simple bind failed:
host.example.net:389; nested exception is javax.naming.CommunicationException: simple bind failed: host.example.net:389
[Root exception is javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake]
at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:108)
at org.springframework.ldap.core.support.AbstractContextSource.createContext(AbstractContextSource.java:356)
at org.springframework.ldap.core.support.AbstractContextSource.doGetContext(AbstractContextSource.java:140)
at org.springframework.ldap.core.support.AbstractContextSource.getReadOnlyContext(AbstractContextSource.java:159)
at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:357)
at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:309)
at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:642)
at org.apache.ambari.server.security.ldap.AmbariLdapDataPopulator.getFilteredLdapUsers(AmbariLdapDataPopulator.java:667)
at org.apache.ambari.server.security.ldap.AmbariLdapDataPopulator.getExternalLdapUserInfo(AmbariLdapDataPopulator.java:644)
at org.apache.ambari.server.security.ldap.AmbariLdapDataPopulator.synchronizeAllLdapUsers(AmbariLdapDataPopulator.java:212)
at org.apache.ambari.server.controller.AmbariManagementControllerImpl.synchronizeLdapUsersAndGroups(AmbariManagementControllerImpl.java:5177)
at org.apache.ambari.server.controller.internal.LdapSyncEventResourceProvider.syncLdap(LdapSyncEventResourceProvider.java:490)
at org.apache.ambari.server.controller.internal.LdapSyncEventResourceProvider.processSyncEvents(LdapSyncEventResourceProvider.java:448)
at org.apache.ambari.server.controller.internal.LdapSyncEventResourceProvider.access$000(LdapSyncEventResourceProvider.java:65)
at org.apache.ambari.server.controller.internal.LdapSyncEventResourceProvider$1.run(LdapSyncEventResourceProvider.java:259)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: javax.naming.CommunicationException: simple bind failed: host.example.net:389 [Root exception is javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake]
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2788)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)
at javax.naming.InitialContext.init(InitialContext.java:244)
at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
at org.springframework.ldap.core.support.LdapContextSource.getDirContextInstance(LdapContextSource.java:42)
at org.springframework.ldap.core.support.AbstractContextSource.createContext(AbstractContextSource.java:344)
... 18 more
Caused by: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:992)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:928)
at sun.security.ssl.AppInputStream.read(AppInputStream.java:105)
at java.io.BufferedInputStream.fill(BufferedInputStream.java:246)
at java.io.BufferedInputStream.read1(BufferedInputStream.java:286)
at java.io.BufferedInputStream.read(BufferedInputStream.java:345)
at com.sun.jndi.ldap.Connection.run(Connection.java:860)
... 1 more
Caused by: java.io.EOFException: SSL peer shut down incorrectly
at sun.security.ssl.InputRecord.read(InputRecord.java:505)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973)
... 8 more
LDAP 서버가 다음을 제공하는 동안: err=13 nentries=0 text=TLS 기밀 유지가 필요합니다.
slapd debug conn=16624 fd=13 ACCEPT from IP=datanode3:51578 (IP=0.0.0.0:389)
slapd debug conn=16624 op=0 BIND dn="" method=128
slapd debug conn=16624 op=0 RESULT tag=97 err=0 text=
slapd debug conn=16624 op=1 SRCH base="dc=example,dc=net" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uidNumber=-1))"
slapd debug conn=16624 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass
slapd debug conn=16624 op=1 SEARCH RESULT tag=101 err=13 nentries=0 text=TLS confidentiality required
slapd debug conn=16624 op=2 UNBIND
slapd debug conn=16624 fd=13 closed
slapd debug conn=16625 fd=13 ACCEPT from IP=datanode3:51580 (IP=0.0.0.0:389)
slapd debug conn=16625 op=0 BIND dn="" method=128
slapd debug conn=16625 op=0 RESULT tag=97 err=0 text=
slapd debug conn=16625 op=1 SRCH base="dc=example,dc=net" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uidNumber=-1))"
slapd debug conn=16625 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass
slapd debug conn=16625 op=1 SEARCH RESULT tag=101 err=13 nentries=0 text=TLS confidentiality required
slapd debug conn=16625 op=2 UNBIND
slapd debug conn=16625 fd=13 closed
slapd debug conn=16626 fd=13 ACCEPT from IP=datanode3:51584 (IP=0.0.0.0:389)
slapd debug conn=16626 op=0 BIND dn="" method=128
slapd debug conn=16626 op=0 RESULT tag=97 err=0 text=
slapd debug conn=16626 op=1 SRCH base="dc=example,dc=net" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uidNumber=-1))"
slapd debug conn=16626 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass
slapd debug conn=16626 op=1 SEARCH RESULT tag=101 err=13 nentries=0 text=TLS confidentiality required
slapd debug conn=16626 op=2 UNBIND
slapd debug conn=16626 fd=13 closed
slapd debug conn=2419 op=4783 SRCH base="dc=example,dc=net" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=ambari-qa))"
slapd debug conn=2419 op=4783 SRCH attr=uid uidNumber
slapd debug conn=2419 op=4783 SEARCH RESULT tag=101 err=13 nentries=0 text=TLS confidentiality required
slapd debug conn=2419 op=4784 ABANDON msg=4784
slapd debug conn=2685 op=4529 SRCH base="dc=example,dc=net" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=ambari-qa))"
slapd debug conn=2685 op=4529 SRCH attr=uid uidNumber
slapd debug conn=2685 op=4529 SEARCH RESULT tag=101 err=13 nentries=0 text=TLS confidentiality required
slapd debug conn=2685 op=4530 ABANDON msg=4530
slapd debug conn=2685 op=4531 SRCH base="dc=example,dc=net" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=ambari-qa))"
slapd debug conn=2685 op=4531 SRCH attr=uid uidNumber
slapd debug conn=2685 op=4531 SEARCH RESULT tag=101 err=13 nentries=0 text=TLS confidentiality required
slapd debug conn=2685 op=4532 ABANDON msg=4532
slapd debug conn=2671 op=4367 SRCH base="dc=example,dc=net" scope=2 deref=0 filter="(&(objectClass=posixAccount) (uid=ambari-qa))"
slapd debug conn=2671 op=4367 SRCH attr=uid uidNumber
slapd debug conn=2671 op=4367 SEARCH RESULT tag=101 err=13 nentries=0 text=TLS confidentiality required
slapd debug conn=2419 op=4785 SRCH base="dc=example,dc=net" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=ambari-qa))"
slapd debug conn=2419 op=4785 SRCH attr=uid uidNumber
slapd debug conn=2419 op=4785 SEARCH RESULT tag=101 err=13 nentries=0 text=TLS confidentiality required
slapd debug conn=2671 op=4368 ABANDON msg=4368
slapd debug conn=2419 op=4786 ABANDON msg=4786
slapd debug conn=2671 op=4369 SRCH base="dc=example,dc=net" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=ambari-qa))"
slapd debug conn=2671 op=4369 SRCH attr=uid uidNumber
slapd debug conn=2671 op=4369 SEARCH RESULT tag=101 err=13 nentries=0 text=TLS confidentiality required
slapd debug conn=2671 op=4370 ABANDON msg=4370
slapd debug conn=16627 fd=13 ACCEPT from IP=masternode:40376 (IP=0.0.0.0:389)
slapd debug conn=16627 fd=13 closed (connection lost)
ambari-server sync-ldap --existing을 수행하면 다음과 같은 결과가 나옵니다.
Completed LDAP Sync.
Summary:
memberships:
removed = 0
created = 0
users:
skipped = 0
removed = 0
updated = 0
created = 0
groups:
updated = 0
removed = 0
created = 0
Ambari Server 'sync-ldap' completed successfully.
그러나 LDAP 서버는 여전히 동일한 오류를 표시합니다: err=13 nentries=0 text=TLS 기밀 유지가 필요합니다.
slapd debug conn=16682 fd=13 ACCEPT from IP=datanode2:42940 (IP=0.0.0.0:389)
slapd debug conn=16682 op=0 BIND dn="" method=128
slapd debug conn=16682 op=0 RESULT tag=97 err=0 text=
slapd debug conn=16682 op=1 SRCH base="dc=example,dc=net" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uidNumber=-1))"
slapd debug conn=16682 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass
slapd debug conn=16682 op=1 SEARCH RESULT tag=101 err=13 nentries=0 text=TLS confidentiality required
slapd debug conn=16682 op=2 UNBIND
slapd debug conn=16682 fd=13 closed
/etc/ambari-server/conf/ambari.properties 파일은 다음을 읽을 수 있습니다.
authentication.ldap.baseDn=dc=example,dc=net
authentication.ldap.bindAnonymously=false
authentication.ldap.dnAttribute=dn
authentication.ldap.groupMembershipAttr=gidNumber
authentication.ldap.groupNamingAttr=cn
authentication.ldap.groupObjectClass=posixGroup
authentication.ldap.managerDn=cn=admin,dc=example,dc=net
authentication.ldap.managerPassword=/etc/ambari-server/conf/ldap-password.dat
authentication.ldap.primaryUrl=host.example.net:389
authentication.ldap.referral=ignore
authentication.ldap.useSSL=true
authentication.ldap.userObjectClass=inetOrgPerson
authentication.ldap.usernameAttribute=uid
ldap.sync.username.collision.behavior=convert
ssl.trustStore.password=******
ssl.trustStore.path=/etc/ambari-server/keys/ldaps-keystore.jks
ssl.trustStore.type=jks
자체 서명된 인증서를 건너뛰면 ambari-server sync-ldap --all을 수행할 때 다음 오류가 발생합니다.
ERROR [pool-18-thread-6] LdapSyncEventResourceProvider:460 - Caught exception running LDAP sync.
org.springframework.ldap.AuthenticationNotSupportedException: [LDAP: error code 13 - TLS confidentiality required]; nested exception is javax.naming.AuthenticationNotSupportedException: [LDAP: error code 13 - TLS confidentiality required]
at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:194)
at org.springframework.ldap.core.support.AbstractContextSource.createContext(AbstractContextSource.java:356)
at org.springframework.ldap.core.support.AbstractContextSource.doGetContext(AbstractContextSource.java:140)
at org.springframework.ldap.core.support.AbstractContextSource.getReadOnlyContext(AbstractContextSource.java:159)
at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:357)
at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:309)
at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:642)
at org.apache.ambari.server.security.ldap.AmbariLdapDataPopulator.getFilteredLdapUsers(AmbariLdapDataPopulator.java:667)
at org.apache.ambari.server.security.ldap.AmbariLdapDataPopulator.getExternalLdapUserInfo(AmbariLdapDataPopulator.java:644)
at org.apache.ambari.server.security.ldap.AmbariLdapDataPopulator.synchronizeAllLdapUsers(AmbariLdapDataPopulator.java:212)
at org.apache.ambari.server.controller.AmbariManagementControllerImpl.synchronizeLdapUsersAndGroups(AmbariManagementControllerImpl.java:5177)
at org.apache.ambari.server.controller.internal.LdapSyncEventResourceProvider.syncLdap(LdapSyncEventResourceProvider.java:490)
at org.apache.ambari.server.controller.internal.LdapSyncEventResourceProvider.processSyncEvents(LdapSyncEventResourceProvider.java:448)
at org.apache.ambari.server.controller.internal.LdapSyncEventResourceProvider.access$000(LdapSyncEventResourceProvider.java:65)
at org.apache.ambari.server.controller.internal.LdapSyncEventResourceProvider$1.run(LdapSyncEventResourceProvider.java:259)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: javax.naming.AuthenticationNotSupportedException: [LDAP: error code 13 - TLS confidentiality required]
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3127)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3082)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2883)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2797)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)
at javax.naming.InitialContext.init(InitialContext.java:244)
at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
at org.springframework.ldap.core.support.LdapContextSource.getDirContextInstance(LdapContextSource.java:42)
at org.springframework.ldap.core.support.AbstractContextSource.createContext(AbstractContextSource.java:344)
... 18 more
(ambari-server sync-ldap --existing은 다른 경우와 동일한 결과를 산출합니다).
LDAP 서버에서 동일한 오류가 발생합니다. err=13 nentries=0 text=TLS 기밀 유지가 필요합니다.
slapd debug conn=16772 fd=13 ACCEPT from IP=masternode:41760 (IP=0.0.0.0:389)
slapd debug conn=16772 op=0 BIND dn="cn=admin,dc=example,dc=net" method=128
slapd debug conn=16772 op=0 RESULT tag=97 err=13 text=TLS confidentiality required
slapd debug conn=16772 fd=13 closed (connection lost)
slapd debug conn=16773 fd=13 ACCEPT from IP=datanode1:35558 (IP=0.0.0.0:389)
slapd debug conn=16773 op=0 BIND dn="" method=128
slapd debug conn=16773 op=0 RESULT tag=97 err=0 text=
slapd debug conn=16773 op=1 SRCH base="dc=example,dc=net" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=root))"
slapd debug conn=16773 op=1 SEARCH RESULT tag=101 err=13 nentries=0 text=TLS confidentiality required
slapd debug conn=16773 op=2 UNBIND
slapd debug conn=16773 fd=13 closed
나는 팔로우했다이 가이드LDAP 서버를 설치하고 모든 노드에서 사용할 수 있습니다. 내가 이해한 바로는 StartTLS 연결에는 쿼리에 -Z 옵션이 필요합니다.
예를 들어 쿼리는 다음과 같습니다.
ldapsearch -H ldap:// -x -b "dc=example,dc=net" -LLL dn
양보할 것이다
Confidentiality required (13)
Additional information: TLS confidentiality required
하는 동안
ldapsearch -H ldap:// -x -b "dc=example,dc=com" -LLL -Z dn
잘 작동합니다.
불행하게도 나는 LDAP에 관한 지식이 매우 제한적입니다. 문제를 이해한다면 LDAP를 쿼리할 때 Ambari에 -Z 옵션이 누락된 것 같습니다. 동기화할 때 Ambari에 이를 추가하도록 지시하는 방법이 있습니까?
답변1
내 문제는 TLS를 사용하도록 연결을 강제하도록 LDAP를 구성했기 때문에 발생한다는 것을 알았습니다.
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcSecurity
olcSecurity: tls=1
olcSecurity: tls=10으로 바꿨어요
이제 동기화는 잘 작동하지만 ambari-server와 LDAP 간의 연결이 더 이상 암호화되지 않은 것 같습니다. 또한 getent passwd이전에는 누락되었던 LDAP 사용자가 명령을 통해 올바르게 표시되는 것도 확인했습니다 .