1

We need to authenticate user using LDAP in sparkling-water. We tried configuring the same using Sparkling-water 1.6.13 and h2O 3.14.0.2. Below is the configuration:

*ldaploginmodule {
    org.eclipse.jetty.plus.jaas.spi.LdapLoginModule required
    debug="true"
    useLdaps="false"
    contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
    hostname="localhost"
    port="389"
    bindDn="CN=admin,OU=Users,DC=company,DC=com"
    bindPassword="password"
    authenticationMethod="simple"
    forceBindingLogin="true"
    userBaseDn="dc=company,dc=com";
};*

Command used : spark-submit --class water.SparklingWaterDriver --master yarn-client --num-executors 2 --driver-memory 6g --executor-memory 4g --executor-cores 2 --conf 'spark.dynamicAllocation.enabled=false' --conf spark.ext.h2o.log.level=DEBUG --conf spark.ext.h2o.ldap.login=true --conf spark.ext.h2o.login.conf=/home/user/ldap.conf /home/user/sparkling-water-1.6.13/assembly/build/libs/sparkling-water-assembly_2.10-1.6.13-all.jar

But we are facing some issue. Please find below error logs. Would appreciate any help on this. ERROR:

java.lang.NullPointerException
        at com.sun.jndi.ldap.AbstractLdapNamingEnumeration.getNextBatch(AbstractLdapNamingEnumeration.java:130)
        at com.sun.jndi.ldap.AbstractLdapNamingEnumeration.nextAux(AbstractLdapNamingEnumeration.java:258)
        at com.sun.jndi.ldap.AbstractLdapNamingEnumeration.nextImpl(AbstractLdapNamingEnumeration.java:249)
        at com.sun.jndi.ldap.AbstractLdapNamingEnumeration.next(AbstractLdapNamingEnumeration.java:203)
        at com.sun.jndi.ldap.AbstractLdapNamingEnumeration.nextElement(AbstractLdapNamingEnumeration.java:106)
        at com.sun.jndi.ldap.AbstractLdapNamingEnumeration.nextElement(AbstractLdapNamingEnumeration.java:40)
        at org.eclipse.jetty.plus.jaas.spi.LdapLoginModule.findUser(LdapLoginModule.java:513)
        at org.eclipse.jetty.plus.jaas.spi.LdapLoginModule.bindingLogin(LdapLoginModule.java:468)
        at org.eclipse.jetty.plus.jaas.spi.LdapLoginModule.login(LdapLoginModule.java:399)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:497)
        at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
        at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
        at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
        at org.eclipse.jetty.plus.jaas.JAASLoginService.login(JAASLoginService.java:217)
        at org.eclipse.jetty.security.authentication.BasicAuthenticator.validateRequest(BasicAuthenticator.java:83)
        at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:456)
        at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:111)
        at org.eclipse.jetty.server.Server.handle(Server.java:349)
        at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:449)
        at org.eclipse.jetty.server.BlockingHttpConnection.handleRequest(BlockingHttpConnection.java:47)
        at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.headerComplete(AbstractHttpConnection.java:910)
        at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:634)
        at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:230)
        at org.eclipse.jetty.server.BlockingHttpConnection.handle(BlockingHttpConnection.java:66)
        at org.eclipse.jetty.server.bio.SocketConnector$ConnectorEndPoint.run(SocketConnector.java:254)
        at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:599)
        at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:534)
        at java.lang.Thread.run(Thread.java:745)
17/10/17 12:45:47 WARN JAASLoginService:
javax.security.auth.login.LoginException: Error obtaining user info.
        at org.eclipse.jetty.plus.jaas.spi.LdapLoginModule.login(LdapLoginModule.java:438)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:497)
        at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
        at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
        at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
        at org.eclipse.jetty.plus.jaas.JAASLoginService.login(JAASLoginService.java:217)
        at org.eclipse.jetty.security.authentication.BasicAuthenticator.validateRequest(BasicAuthenticator.java:83)
        at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:456)
        at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:111)
        at org.eclipse.jetty.server.Server.handle(Server.java:349)
        at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:449)
        at org.eclipse.jetty.server.BlockingHttpConnection.handleRequest(BlockingHttpConnection.java:47)
        at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.headerComplete(AbstractHttpConnection.java:910)
        at
Satish Agrawal
  • 51
  • 3

2 Answers2

0

Most likely it's a configuration error that is unique to your environment. Ask for help from your organization's LDAP/AD experts. It's not going to be easy for anyone externally to help you.

Here are some tricks I recommend for debugging LDAP issues.

First, don't start by debugging this directly in Sparkling Water. Debug it in pure standalone H2O with no Hadoop or Spark, so you can isolate the problem and it's easy to see what's happening and you don't have to hunt for stdout/stderr/logs.

Second, you can enable the DEBUG jetty log level and get more information about what the ldaploginmodule is doing by adding the following file to the classpath:

jetty-logging.properties

org.eclipse.jetty.util.log.class=org.eclipse.jetty.util.log.StdErrLog
org.eclipse.jetty.LEVEL=DEBUG

So run like this (make sure jetty-logging.properties is in the current directory):

java -cp h2o.jar:. water.H2OApp -ldap_login -login_conf ldap-config-file
TomKraljevic
  • 3,661
  • 11
  • 14
  • Thanks for your input, I tried configuring as above in H2O without Spark and Hadoop but am still getting the same above error without any more detail. Please note that the same LDAP configuration is working absolutely fine in few other tools. – Satish Agrawal Oct 27 '17 at 07:53
  • I'm not sure what the *'s are for. Try removing those. The next thing I would try would be to turn off Ldaps and inspect the actual network level packets with tcpdump. After that, I would go inspect the source code. After that, I would run standalone H2O in a good java debugger like IntelliJ IDEA and single-step it. (And finally, if you just want hand-held help debugging the security issue, you can contact the company h2o.ai for enterprise support... i still think a config issue is the most likely problem...) – TomKraljevic Oct 27 '17 at 10:13
  • Also, please have a look on our brand new documentation. LDAP has been fully tested and documented recently http://docs.h2o.ai/sparkling-water/2.2/latest-stable/doc/tutorials/ldap.html – Jakub Háva Mar 26 '18 at 15:43
0

Two additional notes:

  • do not use Sparkling Water 1.6 and upgrade
  • after upgrade, for LDAP conf you need to modify LoginModlue reference to ai.h2o.org.eclipse.jetty.plus.jaas.spi.LdapLoginModule required
Michal
  • 437
  • 3
  • 8