[AMBARI-24827] LDAP users fail to authenticate using LDAPS due to 'No subject alternative DNS name' exception (#2522)
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProvider.java
index 2f1c0dc..deabb2a 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProvider.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthenticationProvider.java
@@ -52,7 +52,8 @@
* Provides LDAP user authorization logic for Ambari Server
*/
public class AmbariLdapAuthenticationProvider extends AmbariAuthenticationProvider {
- static Logger LOG = LoggerFactory.getLogger(AmbariLdapAuthenticationProvider.class); // exposed and mutable for "test"
+ private static final String SYSTEM_PROPERTY_DISABLE_ENDPOINT_IDENTIFICATION = "com.sun.jndi.ldap.object.disableEndpointIdentification";
+ private static Logger LOG = LoggerFactory.getLogger(AmbariLdapAuthenticationProvider.class);
final AmbariLdapConfigurationProvider ldapConfigurationProvider;
@@ -171,6 +172,14 @@
springSecurityContextSource.setPassword(ldapServerProperties.get().getManagerPassword());
}
+ if (ldapServerProperties.get().isUseSsl() && ldapServerProperties.get().isDisableEndpointIdentification()) {
+ System.setProperty(SYSTEM_PROPERTY_DISABLE_ENDPOINT_IDENTIFICATION, "true");
+ LOG.info("Disabled endpoint identification");
+ } else {
+ System.clearProperty(SYSTEM_PROPERTY_DISABLE_ENDPOINT_IDENTIFICATION);
+ LOG.info("Removed endpoint identification disabling");
+ }
+
try {
springSecurityContextSource.afterPropertiesSet();
} catch (Exception e) {
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog270.java b/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog270.java
index f6270be..10b5508 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog270.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog270.java
@@ -1764,6 +1764,9 @@
map.put(AmbariServerConfigurationKey.PAGINATION_ENABLED, "authentication.ldap.pagination.enabled");
map.put(AmbariServerConfigurationKey.COLLISION_BEHAVIOR, "ldap.sync.username.collision.behavior");
+ // Added in the event a previous version of Ambari had AMBARI-24827 back-ported to it
+ map.put(AmbariServerConfigurationKey.DISABLE_ENDPOINT_IDENTIFICATION, "ldap.sync.disable.endpoint.identification");
+
// SSO-related properties
map.put(AmbariServerConfigurationKey.SSO_PROVIDER_URL, "authentication.jwt.providerUrl");
map.put(AmbariServerConfigurationKey.SSO_PROVIDER_CERTIFICATE, "authentication.jwt.publicKey");