search

open-metadata / OpenMetadata

OpenMetadata is a unified metadata platform for data discovery, data observability, and data governance powered by a central metadata repository, in-depth column level lineage, and seamless team collaboration.
https://open-metadata.org
Apache License 2.0
5.53k stars 1.04k forks source link

OpenMetadata connect to LDAP SSL error #15898

Closed thesal84 closed 7 months ago

thesal84 commented 7 months ago

We try to establishing a connection from OpenMetadata to an LDAP server via SSL. It fails with the message:

SSLHandshakeException(Received fatal alert: handshake_failure)
Caused by: LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to connect to server LDAPServerFQDN/LDAPServerIP:636:  IOException(LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to establish a connection to server LDAPServerFQDN/LDAPServerIP:636:  SSLHandshakeException(Received fatal alert: handshake_failure), ldapSDKVersion=6.0.11, revision=8b21d0a4c6eb8b5c3e60a96fc3e9e13b9c2f650f'))')
Caused by: LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to establish a connection to server LDAPServerFQDN/LDAPServerIP:636:  SSLHandshakeException(Received fatal alert: handshake_failure), LDAPSDKVersion=6.0.11, revision=8b21d0a4c6eb8b5c3e60a96fc3e9e13b9c2f650f')

A connection to the LDAP server can be successfully established via SSL via the OpenSSL client:

openssl s_client -showcerts -connect LDAPServerFQDN:636

SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : AES256-GCM-SHA384

Using LDAPsearch, on the OpenMetadata server, data could be queried from the LDAP server. Other applications can already successfully access the LDAP server (via SSL)

OpenMetadata has been configured to be accessible via SSL. For LDAP, the options JVMDefault, HostNamand TrustAll were tried for AUTHENTICATION_LDAP_TRUSTSTORE_TYPE.

We use an nginx as a proxy for OpenMetadata. We also tried it without the nginx.

Attached is a configuration excerpt

  server:
  rootPath: '/api/*'
  applicationConnectors:
    - type: https
      port: ${SERVER_PORT:-8585}
      keyStorePath: /my/path/to/keyStore
      keyStorePassword: password
      keyStoreType: JKS
  #    keyStoreProvider:
      trustStorePath: /my/path/to/trustStorePath
      trustStorePassword: password
      trustStoreType: JKS
  #    trustStoreProvider:
  #    keyManagerPassword: password
  #    needClientAuth: false
  #    wantClientAuth:
  #    certAlias: <alias>
  #    crlPath: /path/to/file
  #    enableCRLDP: false
  #    enableOCSP: false
  #    maxCertPathLength: (unlimited)
  #    ocspResponderUrl: (none)
  #    jceProvider: (none)
  #    validateCerts: true
  #    validatePeers: true
      supportedProtocols: [TLSv1.2, TLSv1.3]
      excludedProtocols: [SSL, SSLv2, SSLv2Hello, SSLv3]
  #    supportedCipherSuites: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
  #    allowRenegotiation: true
  #    endpointIdentificationAlgorithm: (none)

  adminConnectors:
    - type: https
      port: ${SERVER_PORT:-8586}
      keyStorePath: /my/path/to/keyStore
      keyStorePassword: password
      keyStoreType: JKS
  #    keyStoreProvider:
      trustStorePath: /my/path/to/trustStorePath
      trustStorePassword: password
      trustStoreType: JKS
  #    trustStoreProvider:
  #    keyManagerPassword: password
  #    needClientAuth: false
  #    wantClientAuth:
  #    certAlias: <alias>
  #    crlPath: /path/to/file
  #    enableCRLDP: false
  #    enableOCSP: false
  #    maxCertPathLength: (unlimited)
  #    ocspResponderUrl: (none)
  #    jceProvider: (none)
  #    validateCerts: true
  #    validatePeers: true
      supportedProtocols: [TLSv1.2, TLSv1.3]
      excludedProtocols: [SSL, SSLv2, SSLv2Hello, SSLv3]
  #    supportedCipherSuites: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
  #    allowRenegotiation: true
  #    endpointIdentificat
authenticationConfiguration:
  provider: ${AUTHENTICATION_PROVIDER:-LDAP}
  enableSelfSignup : ${AUTHENTICATION_ENABLE_SELF_SIGNUP:-false}
  LDAPConfiguration:
    host: ${AUTHENTICATION_LDAP_HOST:-ldapserverfqdn}
    port: ${AUTHENTICATION_LDAP_PORT:-636}
    dnAdminPrincipal: ${AUTHENTICATION_LOOKUP_ADMIN_DN:-"uid=user,dc=domain,dc=domain,dc=org"}
    dnAdminPassword: ${AUTHENTICATION_LOOKUP_ADMIN_PWD:-"password"}
    userBaseDN: ${AUTHENTICATION_USER_LOOKUP_BASEDN:-"ou=people,dc=domain,dc=domain,dc=org"}
    groupBaseDN: ${AUTHENTICATION_GROUP_LOOKUP_BASEDN:-""}
    roleAdminName: ${AUTHENTICATION_USER_ROLE_ADMIN_NAME:-}
    allAttributeName: ${AUTHENTICATION_USER_ALL_ATTR:-}
    mailAttributeName: ${AUTHENTICATION_USER_MAIL_ATTR:-mail}
    usernameAttributeName: ${AUTHENTICATION_USER_NAME_ATTR:-}
    groupAttributeName: ${AUTHENTICATION_USER_GROUP_ATTR:-}
    groupAttributeValue: ${AUTHENTICATION_USER_GROUP_ATTR_VALUE:-}
    groupMemberAttributeName: ${AUTHENTICATION_USER_GROUP_MEMBER_ATTR:-}
    #the mapping of roles to LDAP groups
    authRolesMapping: ${AUTH_ROLES_MAPPING:-""}
    authReassignRoles: ${AUTH_REASSIGN_ROLES:-[]}
    #optional
    maxPoolSize: ${AUTHENTICATION_LDAP_POOL_SIZE:-3}
    sslEnabled: ${AUTHENTICATION_LDAP_SSL_ENABLED:-true}
    truststoreConfigType: ${AUTHENTICATION_LDAP_TRUSTSTORE_TYPE:-CustomTrustStore}
    trustStoreConfig:
      customTrustManagerConfig:
        # trustStoreFilePath: ${AUTHENTICATION_LDAP_TRUSTSTORE_PATH:-}
        # trustStoreFilePassword: ${AUTHENTICATION_LDAP_KEYSTORE_PASSWORD:-}
        # trustStoreFileFormat: ${AUTHENTICATION_LDAP_SSL_KEY_FORMAT:-}
        trustStoreFilePath: ${AUTHENTICATION_LDAP_TRUSTSTORE_PATH:-/my/path/to/trustStorePath}
        trustStoreFilePassword: ${AUTHENTICATION_LDAP_KEYSTORE_PASSWORD:-password}
        trustStoreFileFormat: ${AUTHENTICATION_LDAP_SSL_KEY_FORMAT:-}
        # trustStorePath: /my/path/to/trustStorePath
      # trustStorePassword: password
      # trustStoreType: JKS
        # verifyHostname: ${AUTHENTICATION_LDAP_SSL_VERIFY_CERT_HOST:-}
        # examineValidityDates: ${AUTHENTICATION_LDAP_EXAMINE_VALIDITY_DATES:-}
        verifyHostname: ${AUTHENTICATION_LDAP_SSL_VERIFY_CERT_HOST:-false}
        examineValidityDates: ${AUTHENTICATION_LDAP_EXAMINE_VALIDITY_DATES:-false}
      hostNameConfig:
        allowWildCards: ${AUTHENTICATION_LDAP_ALLOW_WILDCARDS:-}
        acceptableHostNames: ${AUTHENTICATION_LDAP_ALLOWED_HOSTNAMES:-[]}
      jvmDefaultConfig:
        verifyHostname: ${AUTHENTICATION_LDAP_SSL_VERIFY_CERT_HOST:-}
      trustAllConfig:
        examineValidityDates: ${AUTHENTICATION_LDAP_EXAMINE_VALIDITY_DATES:-true}

Version:

harshach commented 7 months ago

confirm it in https://slack.open-metadata.org before opening a ticket if its actually a bug or user error