Druid Ldap Exception

Hi All,

I have implemented LDAP in Druid its connecting to ldap server but now its failing due below exception.

2020-01-31T20:32:08,519 ERROR [qtp1604271704-127] org.apache.druid.security.basic.authentication.validator.LDAPCredentialsValidator - Exception during user lookup

javax.naming.CommunicationException: prod-ldapad-internal-obc.us.bank-dns.com:636

Let me know what could be the issue.

Thanks,

Ashish

Hi Ashish,

Could you please share the full stack trace.

Thanks

Hey Tijo,

Do we need to add any extra configuration settings to enable dap.

Can you share the authentication, escalator and authorizer common run time properties setting used anywhere else

We can take a reference from it and update it accordingly.

2020-02-02T21:15:36,691 ERROR [qtp1604271704-130] org.apache.druid.security.basic.authentication.validator.LDAPCredentialsValidator - Exception during user lookup

javax.naming.CommunicationException:

at com.sun.jndi.ldap.Connection.(Connection.java:228) ~[?:1.8.0_232]

at com.sun.jndi.ldap.LdapClient.(LdapClient.java:137) ~[?:1.8.0_232]

at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1609) ~[?:1.8.0_232]

at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2749) ~[?:1.8.0_232]

at com.sun.jndi.ldap.LdapCtx.(LdapCtx.java:319) ~[?:1.8.0_232]

at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192) ~[?:1.8.0_232]

at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210) ~[?:1.8.0_232]

at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153) ~[?:1.8.0_232]

at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83) ~[?:1.8.0_232]

at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) ~[?:1.8.0_232]

at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313) ~[?:1.8.0_232]

at javax.naming.InitialContext.init(InitialContext.java:244) ~[?:1.8.0_232]

at javax.naming.InitialContext.(InitialContext.java:216) ~[?:1.8.0_232]

at javax.naming.directory.InitialDirContext.(InitialDirContext.java:101) ~[?:1.8.0_232]

at org.apache.druid.security.basic.authentication.validator.LDAPCredentialsValidator.validateCredentials(LDAPCredentialsValidator.java:143) [druid-basic-security-0.17.0.jar:0.17.0]

at org.apache.druid.security.basic.authentication.BasicHTTPAuthenticator$BasicHTTPAuthenticationFilter.doFilter(BasicHTTPAuthenticator.java:201) [druid-basic-security-0.17.0.jar:0.17.0]

at org.apache.druid.server.security.AuthenticationWrappingFilter.doFilter(AuthenticationWrappingFilter.java:59) [druid-server-0.17.0.jar:0.17.0]

at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642) [jetty-servlet-9.4.12.v20180830.jar:9.4.12.v20180830]

at org.apache.druid.server.security.SecuritySanityCheckFilter.doFilter(SecuritySanityCheckFilter.java:86) [druid-server-0.17.0.jar:0.17.0]

at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642) [jetty-servlet-9.4.12.v20180830.jar:9.4.12.v20180830]

at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:533) [jetty-servlet-9.4.12.v20180830.jar:9.4.12.v20180830]

at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255) [jetty-server-9.4.12.v20180830.jar:9.4.12.v20180830]

at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1595) [jetty-server-9.4.12.v20180830.jar:9.4.12.v20180830]

at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255) [jetty-server-9.4.12.v20180830.jar:9.4.12.v20180830]

at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1340) [jetty-server-9.4.12.v20180830.jar:9.4.12.v20180830]

at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:203) [jetty-server-9.4.12.v20180830.jar:9.4.12.v20180830]

at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:473) [jetty-servlet-9.4.12.v20180830.jar:9.4.12.v20180830]

at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1564) [jetty-server-9.4.12.v20180830.jar:9.4.12.v20180830]

at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:201) [jetty-server-9.4.12.v20180830.jar:9.4.12.v20180830]

at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1242) [jetty-server-9.4.12.v20180830.jar:9.4.12.v20180830]

at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:144) [jetty-server-9.4.12.v20180830.jar:9.4.12.v20180830]

at org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.java:740) [jetty-server-9.4.12.v20180830.jar:9.4.12.v20180830]

at org.eclipse.jetty.server.handler.HandlerList.handle(HandlerList.java:61) [jetty-server-9.4.12.v20180830.jar:9.4.12.v20180830]

at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132) [jetty-server-9.4.12.v20180830.jar:9.4.12.v20180830]

at org.eclipse.jetty.server.Server.handle(Server.java:503) [jetty-server-9.4.12.v20180830.jar:9.4.12.v20180830]

at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:364) [jetty-server-9.4.12.v20180830.jar:9.4.12.v20180830]

at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:260) [jetty-server-9.4.12.v20180830.jar:9.4.12.v20180830]

at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:305) [jetty-io-9.4.12.v20180830.jar:9.4.12.v20180830]

at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103) [jetty-io-9.4.12.v20180830.jar:9.4.12.v20180830]

at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:411) [jetty-io-9.4.12.v20180830.jar:9.4.12.v20180830]

at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:305) [jetty-io-9.4.12.v20180830.jar:9.4.12.v20180830]

at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:159) [jetty-io-9.4.12.v20180830.jar:9.4.12.v20180830]

at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103) [jetty-io-9.4.12.v20180830.jar:9.4.12.v20180830]

at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:118) [jetty-io-9.4.12.v20180830.jar:9.4.12.v20180830]

at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:333) [jetty-util-9.4.12.v20180830.jar:9.4.12.v20180830]

at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:310) [jetty-util-9.4.12.v20180830.jar:9.4.12.v20180830]

at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:168) [jetty-util-9.4.12.v20180830.jar:9.4.12.v20180830]

at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:126) [jetty-util-9.4.12.v20180830.jar:9.4.12.v20180830]

at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:366) [jetty-util-9.4.12.v20180830.jar:9.4.12.v20180830]

at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:366) [jetty-util-9.4.12.v20180830.jar:9.4.12.v20180830]

at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:765) [jetty-util-9.4.12.v20180830.jar:9.4.12.v20180830]

at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:683) [jetty-util-9.4.12.v20180830.jar:9.4.12.v20180830]

at java.lang.Thread.run(Thread.java:748) [?:1.8.0_232]

Caused by: java.lang.NullPointerException: must specify a trustStorePath —(we have already added the .cert file to our jks file)

at com.google.common.base.Preconditions.checkNotNull(Preconditions.java:229) ~[guava-16.0.1.jar:?]

at org.apache.druid.server.security.TLSUtils$ClientSSLContextBuilder.build(TLSUtils.java:146) ~[druid-server-0.17.0.jar:0.17.0]

at org.apache.druid.security.basic.BasicSecuritySSLSocketFactory.(BasicSecuritySSLSocketFactory.java:60) ~[druid-basic-security-0.17.0.jar:0.17.0]

at org.apache.druid.security.basic.BasicSecuritySSLSocketFactory.getDefault(BasicSecuritySSLSocketFactory.java:67) ~[druid-basic-security-0.17.0.jar:0.17.0]

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_232]

at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_232]

at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_232]

at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_232]

at com.sun.jndi.ldap.Connection.createSocket(Connection.java:296) ~[?:1.8.0_232]

at com.sun.jndi.ldap.Connection.(Connection.java:215) ~[?:1.8.0_232]

… 51 more

druid.auth.authenticator.ldap.authorizerName=ldapauth

druid.escalator.type=basic

druid.escalator.internalClientUsername=druid_system

druid.escalator.internalClientPassword=password2

druid.escalator.authorizerName=ldapauth

druid.auth.authorizers=[“ldapauth”]

druid.auth.authorizer.ldapauth.type=basic

**#druid.auth.authorizer.ldapauth.initialAdminUser=admin **

#druid.auth.authorizer.ldapauth.initialAdminRole=admin

druid.auth.authorizer.ldapauth.roleProvider.type=ldap

Thanks,

Ashish

On Behalf Of Tijo Thomas

Hi Ashish,

Hope the below config helps.

druid.auth.authenticatorChain=["ldap"]
druid.auth.authenticator.ldap.type=basic
druid.auth.authenticator.ldap.enableCacheNotifications=true
druid.auth.authenticator.ldap.credentialsValidator.type=ldap
druid.auth.authenticator.ldap.credentialsValidator.url=ldap://<AD host>:<AD port>
druid.auth.authenticator.ldap.credentialsValidator.bindUser=<AD admin user eg: Administrator@example.com>
druid.auth.authenticator.ldap.credentialsValidator.bindPassword=<AD admin password>
druid.auth.authenticator.ldap.credentialsValidator.baseDn=<base dn eg: dc=example,dc=com>
druid.auth.authenticator.ldap.credentialsValidator.userSearch=< this we get the from ldap search eg:(&(sAMAccountName=%s)(objectClass=user))>
druid.auth.authenticator.ldap.credentialsValidator.userAttribute=sAMAccountName
druid.auth.authenticator.ldap.authorizerName=ldapauth
druid.escalator.type=basic
druid.escalator.internalClientUsername=<AD interal user eg:internal>
druid.escalator.internalClientPassword=<some pwd>
druid.escalator.authorizerName=ldapauth
druid.auth.authorizers=["ldapauth"]
druid.auth.authorizer.ldapauth.type=basic
druid.auth.authorizer.ldapauth.initialAdminUser=<AD user which can act as initial admin user eg: internal>
druid.auth.authorizer.ldapauth.initialAdminRole=admin
druid.auth.authorizer.ldapauth.roleProvider.type=ldap

Hi Tijo,

Thank you for your response.

What should be the AD internal user? Could this be any ldap user part of the group specified(for eg, our own LDAP id)? Or should we create an internal user in LDAP?

One more question, should users admin & druid_system not required to be created as we used to do with basic auth? Per Druid documentation only ‘admin’ and ‘druid_system’ users will have full access to all the APIs before others user/roles are created.

Could you please share your contact details ? It would be great if I can get 10 minutes of your time for discussion.

Thanks & Regards