Google Git
Sign in
apache / ambari / 1956283dd9a4a33d565d264592af7c562502cd25^! / .
commit1956283dd9a4a33d565d264592af7c562502cd25[log] [tgz]
authorRobert Levas <rlevas@users.noreply.github.com>Fri Oct 26 16:09:09 2018 -0400
committerOlivér Szabó <oleewere@gmail.com>Fri Oct 26 22:09:09 2018 +0200
tree7649c5278d0cef0ca459f6fa93a1b6abdc6e9120
parent8c8fb065f3a4996405e06227f1db64cc3afabdeb [diff]
[AMBARI-24827] LDAP users fail to authenticate using LDAPS due to 'No subject alternative DNS name' exception (#2522)


diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProvider.java
index 2f1c0dc..deabb2a 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProvider.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProvider.java

@@ -52,7 +52,8 @@
  * Provides LDAP user authorization logic for Ambari Server
  */
 public class AmbariLdapAuthenticationProvider extends AmbariAuthenticationProvider {
-  static Logger LOG = LoggerFactory.getLogger(AmbariLdapAuthenticationProvider.class); // exposed and mutable for "test"
+  private static final String SYSTEM_PROPERTY_DISABLE_ENDPOINT_IDENTIFICATION = "com.sun.jndi.ldap.object.disableEndpointIdentification";
+  private static Logger LOG = LoggerFactory.getLogger(AmbariLdapAuthenticationProvider.class);
 
   final AmbariLdapConfigurationProvider ldapConfigurationProvider;
 
@@ -171,6 +172,14 @@
         springSecurityContextSource.setPassword(ldapServerProperties.get().getManagerPassword());
       }
 
+      if (ldapServerProperties.get().isUseSsl() && ldapServerProperties.get().isDisableEndpointIdentification()) {
+        System.setProperty(SYSTEM_PROPERTY_DISABLE_ENDPOINT_IDENTIFICATION, "true");
+        LOG.info("Disabled endpoint identification");
+      } else {
+        System.clearProperty(SYSTEM_PROPERTY_DISABLE_ENDPOINT_IDENTIFICATION);
+        LOG.info("Removed endpoint identification disabling");
+      }
+
       try {
         springSecurityContextSource.afterPropertiesSet();
       } catch (Exception e) {

diff --git a/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog270.java b/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog270.java
index f6270be..10b5508 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog270.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog270.java

@@ -1764,6 +1764,9 @@
     map.put(AmbariServerConfigurationKey.PAGINATION_ENABLED, "authentication.ldap.pagination.enabled");
     map.put(AmbariServerConfigurationKey.COLLISION_BEHAVIOR, "ldap.sync.username.collision.behavior");
 
+    // Added in the event a previous version of Ambari had AMBARI-24827 back-ported to it
+    map.put(AmbariServerConfigurationKey.DISABLE_ENDPOINT_IDENTIFICATION, "ldap.sync.disable.endpoint.identification");
+
     // SSO-related properties
     map.put(AmbariServerConfigurationKey.SSO_PROVIDER_URL, "authentication.jwt.providerUrl");
     map.put(AmbariServerConfigurationKey.SSO_PROVIDER_CERTIFICATE, "authentication.jwt.publicKey");