search

apache / druid

Apache Druid: a high performance real-time analytics database.
https://druid.apache.org/
Apache License 2.0
13.42k stars 3.69k forks source link

Druid should log LDAP errors #11469

Closed didip closed 9 months ago

didip commented 3 years ago

Description

It is very difficult to debug LDAP errors because there's minimal logging. For example:

2021-07-20T15:31:16,522 ERROR [qtp879829980-142] org.apache.druid.security.basic.authentication.validator.LDAPCredentialsValidator - Exception during user lookup
javax.naming.InvalidNameException: [LDAP: error code 34 - Invalid DN]
    at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3202) ~[?:1.8.0_292]
    at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2993) ~[?:1.8.0_292]

It is very hard to figure out which part of the DN that is bad.

It would be much better if Druid logs more LDAP errors.

ericleme commented 2 years ago

Did you manage to fix this issue, I'm facing the same LDAP: error code 34 - Invalid DN, however I couldn't find what is wrong in the configuration. basedn, as well the users are reachable from ldapsearch.

druid.auth.authenticatorChain=["ldap"]

druid.auth.basic.ssl.trustStorePath=/usr/local/druid-path/certs/truststore.jks druid.auth.basic.ssl.protocol=tls druid.auth.basic.ssl.trustStorePassword=xxxxxx

druid.auth.authenticator.ldap.type=basic druid.auth.authenticator.ldap.enableCacheNotifications=true druid.auth.authenticator.ldap.credentialsValidator.type=ldap druid.auth.authenticator.ldap.credentialsValidator.url=ldaps://ldapurl.domain:636 druid.auth.authenticator.ldap.credentialsValidator.bindUser=xxxxx druid.auth.authenticator.ldap.credentialsValidator.bindPassword=xxxxxxxxxx druid.auth.authenticator.ldap.credentialsValidator.baseDn=dc=xxxx,dc=xxxxxx,dc=xxxxx druid.auth.authenticator.ldap.credentialsValidator.userSearch=(cn=%s) druid.auth.authenticator.ldap.credentialsValidator.userAttribute=cn druid.auth.authenticator.ldap.authorizerName=ldapauth

druid.escalator.type=basic druid.escalator.internalClientUsername=xxxxx druid.escalator.internalClientPassword=xxxxxxxx druid.escalator.authorizerName=ldapauth

druid.auth.authorizers=["ldapauth"] druid.auth.authorizer.ldapauth.type=basic druid.auth.authorizer.ldapauth.initialAdminUser=xxxx druid.auth.authorizer.ldapauth.initialAdminRole=admin druid.auth.authorizer.ldapauth.roleProvider.type=ldap

github-actions[bot] commented 10 months ago

This issue has been marked as stale due to 280 days of inactivity. It will be closed in 4 weeks if no further activity occurs. If this issue is still relevant, please simply write any comment. Even if closed, you can still revive the issue at any time or discuss it on the dev@druid.apache.org list. Thank you for your contributions.

github-actions[bot] commented 9 months ago

This issue has been closed due to lack of activity. If you think that is incorrect, or the issue requires additional review, you can revive the issue at any time.