LDAP auth problem

1

Hi,

I have a problem with Dremio and LDAP server.
Below you can see the configurations of Dremio, LDAP and a query on LDAP for retrive all the active users.

dremio.conf

#
# Copyright (C) 2017 Dremio Corporation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#

master: {
  # the name of the master server. If this node matches the name, it starts the master service
  name: ip-10-0-10-211.eu-west-1.compute.internal,
  # name: localhost,
  port: 45678
}

services: {
  executor.enabled: false,
  coordinator.enabled: true,
  coordinator.web.auth.type: "ldap",
  coordinator.web.auth.ldap_config: "ad.json",
  coordinator.embedded_master_zk.enabled:false
}

paths: {
  # the local path for dremio to store data.
  local: "/var/lib/dremio"

  # the distributed path Dremio data including job results, downloads, uploads, etc
  dist: "hdfs://ip-10-0-10-211.eu-west-1.compute.internal:8020/data/dremio/pdfs"
}

zookeeper: "ip-10-0-10-211.eu-west-1.compute.internal:2181"
provisioning.yarn.jvmoptions: "-Dpaths.spilling=["/var/lib/dremio/spill"]"

LDAP ad.json

{
    "connectionMode": "PLAIN",
    "servers": [
        {
            "hostname": "ip-10-0-10-211.eu-west-1.compute.internal",
            "port": 389
        }
    ],
    "names": {
        "bindDN": "uid=dremiouser,ou=People,dc=customer,dc=cluster,dc=com",
        "bindPassword": "",
        "baseDN": "ou=People,dc=customer,dc=cluster,dc=com",
        "userFilter": "&(objectClass=user)(|(memberOf=CN=dremiouser,OU=People,DC=customer,DC=cluster,DC=com)(memberOf=CN=dremiouser,OU=Groups,DC=customer,DC=cluster,DC=com))",
        "userDNs": ["cn={0},dc=customer,dc=cluster,dc=com"],
        "userAttributes": { "firstname": "dremiouser", "lastname": "dremiouser", "email": "dremiouser" },
        "groupMembership": "dremiouser",
        "groupRecursive": "dremiouser",
        "groupDN": "cn={0},OU=Groups,DC=customer,DC=cluster,DC=com",
        "groupFilter": "(objectClass=group)",
        "autoAdminFirstUser": false
    }
}

ldap query

# extended LDIF
#
# LDAPv3
# base <dc=customer,dc=cluster,dc=com> with scope subtree
# filter: objectclass=*
# requesting: ALL
#

# customer.cluster.com
dn: dc=customer,dc=cluster,dc=com
dc: customer
objectClass: top
objectClass: domain
objectClass: domainRelatedObject
associatedDomain: customer.cluster.com

# Hosts, customer.cluster.com
dn: ou=Hosts,dc=customer,dc=cluster,dc=com
ou: Hosts
objectClass: top
objectClass: organizationalUnit
objectClass: domainRelatedObject
associatedDomain: customer.cluster.com

# Rpc, customer.cluster.com
dn: ou=Rpc,dc=customer,dc=cluster,dc=com
ou: Rpc
objectClass: top
objectClass: organizationalUnit
objectClass: domainRelatedObject
associatedDomain: customer.cluster.com

# Services, customer.cluster.com
dn: ou=Services,dc=customer,dc=cluster,dc=com
ou: Services
objectClass: top
objectClass: organizationalUnit
objectClass: domainRelatedObject
associatedDomain: customer.cluster.com

# netgroup.byuser, customer.cluster.com
dn: nisMapName=netgroup.byuser,dc=customer,dc=cluster,dc=com
nisMapName: netgroup.byuser
objectClass: top
objectClass: nisMap
objectClass: domainRelatedObject
associatedDomain: customer.cluster.com

# Mounts, customer.cluster.com
dn: ou=Mounts,dc=customer,dc=cluster,dc=com
ou: Mounts
objectClass: top
objectClass: organizationalUnit
objectClass: domainRelatedObject
associatedDomain: customer.cluster.com

# Networks, customer.cluster.com
dn: ou=Networks,dc=customer,dc=cluster,dc=com
ou: Networks
objectClass: top
objectClass: organizationalUnit
objectClass: domainRelatedObject
associatedDomain: customer.cluster.com

# People, customer.cluster.com
dn: ou=People,dc=customer,dc=cluster,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
objectClass: domainRelatedObject
associatedDomain: customer.cluster.com

# Group, customer.cluster.com
dn: ou=Group,dc=customer,dc=cluster,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit
objectClass: domainRelatedObject
associatedDomain: customer.cluster.com

# Netgroup, customer.cluster.com
dn: ou=Netgroup,dc=customer,dc=cluster,dc=com
ou: Netgroup
objectClass: top
objectClass: organizationalUnit
objectClass: domainRelatedObject
associatedDomain: customer.cluster.com

# Protocols, customer.cluster.com
dn: ou=Protocols,dc=customer,dc=cluster,dc=com
ou: Protocols
objectClass: top
objectClass: organizationalUnit
objectClass: domainRelatedObject
associatedDomain: customer.cluster.com

# Aliases, customer.cluster.com
dn: ou=Aliases,dc=customer,dc=cluster,dc=com
ou: Aliases
objectClass: top
objectClass: organizationalUnit
objectClass: domainRelatedObject
associatedDomain: customer.cluster.com

# netgroup.byhost, customer.cluster.com
dn: nisMapName=netgroup.byhost,dc=customer,dc=cluster,dc=com
nisMapName: netgroup.byhost
objectClass: top
objectClass: nisMap
objectClass: domainRelatedObject
associatedDomain: customer.cluster.com

# customerUser1, People, customer.cluster.com
dn: uid=customerUser1,ou=People,dc=customer,dc=cluster,dc=com
uid: customerUser1
cn: customerUser1
sn: customerUser1
mail: customerUser1@customer.cluster.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:
shadowLastChange: 17506
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1008
gidNumber: 1008
homeDirectory: /home/ldap/user1

# customerUser1, Group, customer.cluster.com
dn: cn=customerUser1,ou=Group,dc=customer,dc=cluster,dc=com
objectClass: posixGroup
objectClass: top
cn: customerUser1
userPassword:: 
gidNumber: 1008
memberUid: customerUser1

# usercustomer, People, customer.cluster.com
dn: uid=usercustomer,ou=People,dc=customer,dc=cluster,dc=com
uid: usercustomer
cn: usercustomer
sn: usercustomer
mail: usercustomer@customer.cluster.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowLastChange: 17506
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
uidNumber: 1009
gidNumber: 1009
loginShell: /bin/bash
homeDirectory: /home/ldap/user1
userPassword::

# user1, People, customer.cluster.com
dn: uid=user1,ou=People,dc=customer,dc=cluster,dc=com
uid: user1
cn: user1
sn: user1
mail: user1@customer.cluster.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword::
shadowLastChange: 17506
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1008
gidNumber: 1008
homeDirectory: /home/ldap/user1

# Groups, customer.cluster.com
dn: ou=Groups,dc=customer,dc=cluster,dc=com
ou: Groups
objectClass: top
objectClass: organizationalUnit
objectClass: domainRelatedObject
associatedDomain: customer.cluster.com

# user1, Groups, customer.cluster.com
dn: cn=user1,ou=Groups,dc=customer,dc=cluster,dc=com
objectClass: posixGroup
objectClass: top
cn: user1
userPassword::
gidNumber: 1008
memberUid: user1

# dremiouser, People, customer.cluster.com
dn: uid=dremiouser,ou=People,dc=customer,dc=cluster,dc=com
uid: dremiouser
cn: dremiouser
sn: dremiouser
mail: dremiouser@customer.cluster.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword::
shadowLastChange: 17569
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1015
gidNumber: 1015
homeDirectory: /home/ldap/dremiouser

# search result
search: 2
result: 0 Success

# numResponses: 21
# numEntries: 20

Inside the Dremio log, it seems, that connect itself correctly with LDAP.

2018-02-09 11:14:52,798 [main] INFO c.d.extusr.ldap.LdapUserProvider - Binding with LDAP/AD user/group service is successful.

But the login fail always.

2

LDAP integration is available with Dremio Enterprise Edition: https://www.dremio.com/enterprise-edition/

Let us know if this is something you would like to evaluate by completing the form on that page.

3

I’m using Dremio Enterprise Edition.

4

@matteobovetti looks like a configuration problem. Since we’re already tracking this on the Support Portal, we’ll be following up there.

5

Do you have create a file called bootstrap-admin-users.json under the Dremio configuration directory and add users and groups property information.

For example:

    {
    users: ["joe", "bob"],
    groups: ["marketers", "sales wizards"]
    }
6

Hi @alex.shi

The bootstrap file as the name suggests is only when Dremio starts the first time after a fresh build. Once that is done and you need to add more admins, you just have to do it via the UI-admin console. Click on administrators and enter a username to promote as an admin

7

Excuse me, is there any way to add all LDAP users to the dremio user system at one time? At present, I can only add them by name one by one,too tired! :sweat_smile:@ balaji.ramaswamy

8

@alex.shi Non admin users, you do not have to add as they come straight from LDAP. If you want to promote a bunch of users as admins then you can create a LDAP group and add users to that LDAP group and promote the LDAP group as an admin

9

thank you for your answer ! i get it.