Authentication Fails | External login to Cloudera Manager Using LDAPS

0 votes
asked Aug 20, 2017 in Hadoop by admin (4,410 points)
SummaryExternal login using the and Java options.

After configuring CM with external LDAPS authentication by following the documentation, the root CA certificate for the LDAPS server has been added into the  trust store configured in the "Cloudera Manager TLS/SSL Certificate Trust Store File" showing in below Cloudera Manager setting for trust store:

Cloudera Manager Truststore configuration

However, users fails to log into Cloudera Manager using AD/LDAP account and below exception is seen from CM server log:

2014-06-27 14:32:52,092 ERROR [647029980@scm-web-16:cmf.CmfLdapAuthenticationProvider@113] LDAP/AD authentication failed /  

org.springframework.ldap.CommunicationException: simple bind failed:; nested exception is javax.naming.CommunicationException: /  
simple bind failed: [Root exception is /  
PKIX path building failed: unable to find valid certification path to requested target] 
at com.cloudera.server.web.cmf.CmfLdapAuthenticationProvider.authenticate( 

Applies To
  • Cloudera Manager 4
  • Cloudera Manager 5

Cloudera Manager external authentication using LDAPS requires trust of the Certificate Authority (CA) used to sign the server's certificate. Currently, Cloudera Manager looks to the default JDK trust for that information.

There is an enhancement opened for Cloudera Manager to reuse CM UI configuration for Trust Store. It is still open for future release.


If the LDAP server certificate has been signed by a trusted Certificate Authority (that is, VeriSign, GeoTrust, and so on), steps 1 and 2 below may not be necessary.
  1. Copy the CA certificate file to the Cloudera Manager Server host.
  2. Import the CA certificate(s) from the CA certificate file to the local truststore. The default truststore is located in the $JAVA_HOME/jre/lib/security/cacerts file. This contains the default CA information shipped with the JDK. Create an alternate default file called jssecacerts in the same location as the cacerts file. You can now safely append CA certificates for any private or public CAs not present in the default cacerts file, while keeping the original file intact.For our example, we will follow this recommendation by copying the default cacerts file into the new jssecacerts file, and then importing the CA certificate to this alternate truststore.
    $ cp $JAVA_HOME/jre/lib/security/cacerts \
    $ /usr/java/latest/bin/keytool -import -alias nt_domain_name \
    -keystore /usr/java/latest/jre/lib/security/jssecacerts -file path_to_CA_cert
    Note: The default password for the cacerts store is changeit. The -alias does not always need to be the domain name.

    Alternatively, you can use the Java options: and Open the /etc/default/cloudera-scm-server file and add the following options:

    export CMF_JAVA_OPTS="-Xmx2G -XX:MaxPermSize=256m -XX:+HeapDumpOnOutOfMemoryError \
    -XX:HeapDumpPath=/tmp \"
  3. From Cloudera Manager UI, go to Administration > Settings > External Authentication category, in the LDAP URL property, use ldaps://ldap_server instead of ldap://ldap_server.
  4. Restart the Cloudera Manager Server.
Note: Above steps are also documented in the official Cloudera Manager documentation: Configuring Cloudera Manager to Use LDAP

Please log in or register to answer this question.