Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Missing or Incorrect Authentication Configuration for ldap_user in ClickHouse #1630

Open
sanjeev3d opened this issue Feb 4, 2025 · 6 comments
Open

Missing or Incorrect Authentication Configuration for ldap_user in ClickHouse #1630

sanjeev3d opened this issue Feb 4, 2025 · 6 comments

Comments

@sanjeev3d
Copy link

An error occurs when parsing the ldap_user configuration in the ClickHouse users.xml file. The error indicates that an authentication method is not properly specified for the user, even though the configuration appears to include the required ldap authentication type.

Error Details:

Error: Application: Code: 36. DB::Exception: Either 'password' or 'password_sha256_hex' or 'password_double_sha1_hex' or 'no_password' or 'ldap' or 'kerberos' or 'ssl_certificates' or 'ssh_keys' or 'http_authentication' must be specified for user ldap_user.: while parsing user 'ldap_user' in users configuration file: while loading configuration file '/etc/clickhouse-server/users.xml'. (BAD_ARGUMENTS)

ldap_user in the users.xml

<ldap_user>
    <networks>
        <ip>0.0.0.0/0</ip>
        <ip>::/0</ip>
    </networks>
    <authentication>
        <type>ldap</type>
        <server>kiba_ldap</server> <!-- This must match the LDAP server name in 04-ldap-config.xml -->
    </authentication>
    <profile>default</profile>
    <quota>default</quota>
</ldap_user>

LDAP server configuration is defined in 04-ldap-config.xml:

<ldap_servers>
    <kiba_ldap>
        <host>test.rmb-adtest.jp</host>
        <port>389</port>
        <bind_dn>CN=svc.yugabyte-a,OU=Users,OU=JP,OU=APAC,OU=Earth,DC=test,DC=rmb-adtest,DC=jp</bind_dn>
        <bind_password>xxxxxxx</bind_password>
        <search_base>OU=JP,OU=APAC,OU=Earth,DC=test,DC=rmb-adtest,DC=jp</search_base>
        <search_filter>(cn={user})</search_filter>
        <enable_tls>false</enable_tls>
    </kiba_ldap>
</ldap_servers>

Expected Behavior:

The ClickHouse server should start without errors, and the ldap_user should authenticate using the specified LDAP server configuration.
@Slach
Copy link
Collaborator

Slach commented Feb 4, 2025

could you share
kind: ClickHouseInstallation manifest without sensitive credentials?

@sanjeev3d
Copy link
Author

sanjeev3d commented Feb 4, 2025
edited
Loading

@Slach ClickHouse Installation Manifest

apiVersion: "clickhouse.altinity.com/v1"
kind: "ClickHouseInstallation"
metadata:
  name: "cliff"
spec:
  defaults:
    templates:
            podTemplate: pod-template-with-volumes-shard
            serviceTemplate: chi-service-template
  configuration:
    zookeeper:
      nodes:
        - host: zookeeper-0.zookeepers.cmass-1c
          port: 2181
        - host: zookeeper-1.zookeepers.cmass-1c
          port: 2181
        - host: zookeeper-2.zookeepers.cmass-1c
          port: 2181
    settings:
      remote_servers/all-replicated/secret: cliff
      remote_servers/all-sharded/secret: cliff
      remote_servers/cliffcluster/secret: cliff
      remote_servers/all-replicated/secret: distributed
      remote_servers/all-sharded/secret: distributed
      remote_servers/cliffcluster/secret: distributed
      remote_servers/all-replicated/secret: default
      remote_servers/all-sharded/secret: default
      remote_servers/cliffcluster/secret: default
      disable_internal_dns_cache: 1
    users:
      # test user has 'password' specified, while admin user has 'password_sha256_hex' specified
      default/networks/ip:
              - "0.0.0.0/0"
              - "::/0"
      admin/password: xxxxxxx
      admin/access_management: 1
      admin/networks/ip:
              - "0.0.0.0/0"
              - "::/0"
    clusters:
      - name: "cliffcluster"
        layout:
          shards:
            - name: shard0
              replicasCount: 1
              templates:
                 podTemplate: pod-template-with-volumes-shard
              replicas:
                - name: replica0-shard0
                - name: replica1-shard0
                  templates:
                    podTemplate: pod-template-with-volumes-replica
           # - name: shard1
           #   replicasCount: 1
           #   templates:
           #      podTemplate: pod-template-with-volumes-shard
           #   replicas:
           #     - name: replica0-shard1
           #     - name: replica1-shard1
           #       templates:
           #         podTemplate: pod-template-with-volumes-replica
           # - name: shard2
           #   replicasCount: 2
           #   templates:
           #      podTemplate: pod-template-with-volumes-shard
           #   replicas:
           #     - name: replica0-shard2
           #     - name: replica1-shard2
           #       templates:
           #         podTemplate: pod-template-with-volumes-replica
  templates:
    podTemplates:
      - name: pod-template-with-volumes-shard
        spec:
          # affinity:
          #   nodeAffinity:
          #     requiredDuringSchedulingIgnoredDuringExecution:
          #       nodeSelectorTerms:
          #       - matchExpressions:
          #         - key: Name
          #           operator: In
          #           values:
          #           - clickhouse-dev
          # tolerations:
          #  - key: "High"
          #    operator: "Equal"
          #    value: "high-click"
          #    effect: "NoSchedule"
          containers:
            - name: clickhouse
              image: clickhouse-server:24.4.2-alpine
              imagePullPolicy: Always
              resources:
                requests:
                  memory: "8Gi"
                  cpu: "4"
                limits:
                  memory: "8Gi"
                  cpu: "4"
              volumeMounts:
                - name: clickhouse-storage-template
                  mountPath: /var/lib/clickhouse
                - name: clickhouse-storage-template-1
                  mountPath: /var/lib/clickhouse-1
                - name: clickhouse-storage-template-2
                  mountPath: /var/lib/clickhouse-2
            - name: clickhouse-backup
              image: clickhouse-backup:2.5.13
              imagePullPolicy: Always
              volumeMounts:
                - name: clickhouse-storage-template
                  mountPath: /var/lib/clickhouse
                - name: clickhouse-storage-template-1
                  mountPath: /var/lib/clickhouse-1
                - name: clickhouse-storage-template-2
                  mountPath: /var/lib/clickhouse-2
              command:
                 - bash
                 - -xc
                 - "/bin/clickhouse-backup server"
              resources:
                requests:
                  memory: "4Gi"
                  cpu: "2"
                limits:
                  memory: "4Gi"
                  cpu: "2"
              envFrom:
              - configMapRef:
                  name: clickhouse-backup-config
              ports:
                 - name: backup-rest
                   containerPort: 7171

      - name: pod-template-with-volumes-replica
        spec:
          # affinity:
          #   nodeAffinity:
          #     requiredDuringSchedulingIgnoredDuringExecution:
          #       nodeSelectorTerms:
          #       - matchExpressions:
          #         - key: Name
          #           operator: In
          #           values:
          #           - clickhouse-dev-2
          # tolerations:
          #  - key: "High"
          #    operator: "Equal"
          #    value: "high-click-2"
          #    effect: "NoSchedule"
          containers:
            - name: clickhouse
              image: clickhouse-server:24.4.2-alpine
              imagePullPolicy: Always
              resources:
                requests:
                  memory: "8Gi"
                  cpu: "4"
                limits:
                  memory: "8Gi"
                  cpu: "4"
              volumeMounts:
                - name: clickhouse-storage-template
                  mountPath: /var/lib/clickhouse
                - name: clickhouse-storage-template-1
                  mountPath: /var/lib/clickhouse-1
                - name: clickhouse-storage-template-2
                  mountPath: /var/lib/clickhouse-2
            - name: clickhouse-backup
              image: clickhouse-backup:2.5.13
              imagePullPolicy: Always
              volumeMounts:
                - name: clickhouse-storage-template
                  mountPath: /var/lib/clickhouse
                - name: clickhouse-storage-template-1
                  mountPath: /var/lib/clickhouse-1
                - name: clickhouse-storage-template-2
                  mountPath: /var/lib/clickhouse-2
              command:
                 - bash
                 - -xc
                 - "/bin/clickhouse-backup server"
              resources:
                requests:
                  memory: "4Gi"
                  cpu: "2"
                limits:
                  memory: "4Gi"
                  cpu: "2"
              envFrom:
              - configMapRef:
                  name: clickhouse-backup-config
              ports:
                 - name: backup-rest
                   containerPort: 7171

    volumeClaimTemplates:
      - name: clickhouse-storage-template
        spec:
          # no storageClassName - means use default storageClassName
          storageClassName: robin-encrypt
          accessModes:
            - ReadWriteOnce
          resources:
            requests:
             storage: 500Gi
      - name: clickhouse-storage-template-1
        spec:
          # no storageClassName - means use default storageClassName
          storageClassName: robin-encrypt
          accessModes:
            - ReadWriteOnce
          resources:
            requests:
              storage: 500Gi
      - name: clickhouse-storage-template-2
        spec:
          storageClassName: robin-encrypt
          accessModes:
            - ReadWriteOnce
          resources:
            requests:
              storage: 500Gi
    serviceTemplates:
      - name: chi-service-template
        generateName: "clickhouse-{chi}"
        spec:
          type: NodePort
          ports:
            - name: http
              port: 8123
              targetPort: 8123
            - name: tcp
              port: 9000
              targetPort: 9000
            - name: interserver
              port: 9009
              targetPort: 9009

@sanjeev3d
Copy link
Author

@Slach did you find anything from CHI.

@sanjeev3d
Copy link
Author

sanjeev3d commented Feb 5, 2025
edited
Loading

@Slach I have made one changes in CHI by adding one more section, now pod is not crashing by above error but still not getting authenticated

    users:
      # test user has 'password' specified, while admin user has 'password_sha256_hex' specified
      default/networks/ip:
              - "0.0.0.0/0"
              - "::/0"
      admin/password: xxx
      admin/access_management: 1
      admin/networks/ip:
              - "0.0.0.0/0"
              - "::/0"
      ldap_user:
        ldap:
          server: kiba_ldap

Do i need follow any more step line to create user locally..?

Even i have added one user like which is in AD

CREATE USER 'sanjeev.gautam-a' IDENTIFIED WITH ldap SERVER 'my_ldap_server';

Even verified using ldapsearch getting detail for this user using mentioned ldap details.

[sanjeev.gautam-a@uhn5klbjhmgmt-s ldap-click]$ ldapsearch -x -H ldap://test.rmb-adtest.jp:389 -D "CN=svc.yugabyte-a,OU=Users,OU=JP,OU=APAC,OU=Earth,DC=test,DC=rmb-adtest,DC=jp" -w "xxxxxxxxxxxx" -b "OU=JP,OU=APAC,OU=Earth,DC=test,DC=rmb-adtest,DC=jp" "cn=sanjeev.gautam-a"
# extended LDIF
#
# LDAPv3
# base <OU=JP,OU=APAC,OU=Earth,DC=test,DC=rmb-adtest,DC=jp> with scope subtree
# filter: cn=sanjeev.gautam-a
# requesting: ALL
#

# sanjeev.gautam-a, katanaCICD, JP, APAC, Earth, test.rmb-adtest.jp
dn: CN=sanjeev.gautam-a,OU=katanaCICD,OU=JP,OU=APAC,OU=Earth,DC=test,DC=rmb-ad
 test,DC=jp
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: sanjeev.gautam-a
sn: gautam
givenName: sanjeev
distinguishedName: CN=sanjeev.gautam-a,OU=katanaCICD,OU=JP,OU=APAC,OU=Earth,DC
 =test,DC=rmb-adtest,DC=jp
instanceType: 4
whenCreated: 20211208013700.0Z
whenChanged: 20250130065525.0Z
displayName: sanjeev.gautam-a
uSNCreated: 2521517

@sanjeev3d
Copy link
Author

@Slach did you get any thing based on shared details..?

@Slach
Copy link
Collaborator

Slach commented Feb 21, 2025

unfortunatelly have not time to deep figure out, i'm not expert with ldap

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Slach @sanjeev3d