3.3. LDAP Basic Troubleshooting

Telnet to the LDAP server using port specified in the configuration file, for example for sandbox the sample LDAP property is:

<param>
   <name>main.ldapRealm.contextFactory.url</name>
   <value>ldap://localhost:33389</value>
</param>

Based on the parameters above, run the following telnet command to test the connection:

telnet localhost 33389
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.

If telnet to the port is working, use a LDAP utility from the Knox Gateway, such as ldapsearch. You will have to install the openldap-clients package. The Knox Gateway performs an anonymous bind to the UserDN to validate the user's credentials. The UserDN is constructed from the UserDN template parameter of the LDAP provider.

For example for the HDP Sandbox, the UserDN template parameter is defined as follows:

<param>
    <name>main.ldapRealm.userDnTemplate</name>
    <value>uid={0},ou=people,dc=hadoop,dc=apache,dc=org</value>
</param>

Therefore the command to use LDAP search is as follows:

ldapsearch -h localhost -p 33389 -D "uid=guest,ou=people,dc=hadoop,dc=apache,dc=org" -w "guest-password" -b "uid=guest,ou=people,dc=hadoop,dc=apache,dc=org"
# extended LDIF
#
# LDAPv3
# base <uid=guest,ou=people,dc=hadoop,dc=apache,dc=org> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# guest, people, hadoop.apache.org
dn: uid=guest,ou=people,dc=hadoop,dc=apache,dc=org
objectclass: organizationalPerson
objectclass: person
objectclass: inetOrgPerson
objectclass: top
uid: guest
cn: Guest
sn: User
userpassword:: Z3Vlc3QtcGFzc3dvcmQ=

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

If the LDAP provider is unreachable, an error message similar to the following may occur:

ldapsearch -h localhost -p 33389 -D "uid=guest,ou=people,dc=hadoop,dc=apache,dc=org" -w "guest-password" -b "uid=guest,ou=people,dc=hadoop,dc=apache,dc=org"
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)