Resolving LDAP connection issues include ensuring that the LDAP server is running
and that connection information is correct. The LDAP server connection information
is configured in the cluster’s topology file (for example:
). $gateway_home
/deployments/sandbox.xml
Using the information provided in the configuration file perform the following steps from the Knox Gateway:
Telnet to the LDAP server using port specified in the configuration file, for example for sandbox the sample LDAP property is:
<param> <name>main.ldapRealm.contextFactory.url</name> <value>ldap://localhost:33389</value> </param>
Based on the parameters above, run the following telnet command to test the connection:
telnet localhost 33389 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'.
If telnet to the port is working, use a LDAP utility from the Knox Gateway, such as ldapsearch. You will have to install the openldap-clients package. The Knox Gateway performs an anonymous bind to the UserDN to validate the user's credentials. The UserDN is constructed from the UserDN template parameter of the LDAP provider.
For example for the HDP Sandbox, the UserDN template parameter is defined as follows:
<param> <name>main.ldapRealm.userDnTemplate</name> <value>uid={0},ou=people,dc=hadoop,dc=apache,dc=org</value> </param>
Therefore the command to use LDAP search is as follows:
ldapsearch -h localhost -p 33389 -D "uid=guest,ou=people,dc=hadoop,dc=apache,dc=org" -w "guest-password" -b "uid=guest,ou=people,dc=hadoop,dc=apache,dc=org" # extended LDIF # # LDAPv3 # base <uid=guest,ou=people,dc=hadoop,dc=apache,dc=org> with scope subtree # filter: (objectclass=*) # requesting: ALL # # guest, people, hadoop.apache.org dn: uid=guest,ou=people,dc=hadoop,dc=apache,dc=org objectclass: organizationalPerson objectclass: person objectclass: inetOrgPerson objectclass: top uid: guest cn: Guest sn: User userpassword:: Z3Vlc3QtcGFzc3dvcmQ= # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1
If the LDAP provider is unreachable, an error message similar to the following may occur:
ldapsearch -h localhost -p 33389 -D "uid=guest,ou=people,dc=hadoop,dc=apache,dc=org" -w "guest-password" -b "uid=guest,ou=people,dc=hadoop,dc=apache,dc=org" ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)