Druid Ldap

Hi Team,

I am using single druid instance for the version of 0.17 and enabled ldap settings.

After enabling LDAP I am getting below error in broker.log as

com.fasterxml.jackson.core.JsonParseException: Input does not start with Smile format header (first byte = 0x3c) and parser has REQUIRE_HEADER enabled: can not parse

at [Source: (byte[])"

Error 401 Unauthorized

HTTP ERROR 401

Problem accessing /druid-ext/basic-security/authorization/db/ldapauth/cachedSerializedUserMap. Reason:

    Unauthorized

Powered by Jetty:// 9.4.12.v20180830

"; line: -1, column: 0]

Any help will be appreciated!!!

Thanks,

Ashish

Not sure why this is happening. Can u disable cache notification to false.

druid.auth.authenticator.ldap.enableCacheNotifications=false

HI Tijo,

(am writing on behalf of Ashish)

We use following configurations in common.runtime.properties. There are no logs in coordinator, but router and broker logs show unauthorized error while connecting to co-ordinator. We are unable to create roles also as services are fully up yet. Please advise if authorizer will have full access to internal client user we specify. As of now we used our LDAP user id as internal client user, and there is no role associated with it.

druid.auth.authenticatorChain=[“ldap”]

druid.auth.authenticator.ldap.type=basic

druid.auth.authenticator.ldap.enableCacheNotifications=true

druid.auth.authenticator.ldap.credentialsValidator.type=ldap

druid.auth.authenticator.ldap.credentialsValidator.url=ldap://:389

druid.auth.authenticator.ldap.credentialsValidator.bindUser=CN=,OU=APPIDS,DC=,DC=,DC=COM

druid.auth.authenticator.ldap.credentialsValidator.bindPassword=

druid.auth.authenticator.ldap.credentialsValidator.baseDn=DC=,DC=,DC=COM

druid.auth.authenticator.ldap.credentialsValidator.userSearch=(&(objectClass=person)(sAMAccountName=${USER})(memberof=CN=<ldap_group>,OU=APPS,DC=,DC=,DC=COM))

druid.auth.authenticator.ldap.enableCacheNotifications=false

druid.auth.authenticator.ldap.credentialsValidator.userAttribute=sAMAccountName

druid.auth.authenticator.ldap.authorizerName=ldapauth

druid.escalator.type=basic

druid.escalator.internalClientUsername=

druid.escalator.internalClientPassword=

druid.escalator.authorizerName=ldapauth

druid.auth.authorizers=[“ldapauth”]

druid.auth.authorizer.ldapauth.type=basic

druid.auth.authorizer.ldapauth.initialAdminUser=<ldap_user_id>

druid.auth.authorizer.ldapauth.initialAdminRole=admin

druid.auth.authorizer.ldapauth.roleProvider.type=ldap

Hi ,
Use the admin user mentioned in this properties to create role.

druid.auth.authorizer.ldapauth.initialAdminUser=<ldap_user_id>

Can u confirm if u try to login as admin user every thing works ?

Hi Tijo,

No, accessing the endpoints using admin user specified gives unauthorized error.

But the ldap id is part of the ldap group specified inside userSearch, and the same ldap id is able to access other applications with LDAP auth enabled.

Note: We use the ldap url without encryption(ie, ldap(port 389) not ldaps(port 636)).

Thanks

Soumya

I fear there is some other configuration issue. Ideally admin role will have complete access. And user with initial admin user have the full access.
Do u mind creating a new setup and apply the configs.

Thanks