Cloudera Community

Community Articles

Find and share helpful community-sourced technical articles.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Hardening Zeppelin-OpenLDAP connections using TLS

Labels (1)
Labels:
avatar
author-rank slachterman
Guru

Created on ‎01-31-2017 11:19 PM

In Zeppelin LDAP Authentication with OpenLDAP and How to Set Up OpenLDAP we've shown how to use LDAP Authentication with Zeppelin. In this article, we'll harden that configuration by ensuring that Zeppelin and OpenLDAP communicate over LDAPS.

LDAPS is a secure protocol that uses TLS to assure authenticity, confidentiality, and integrity of communications. This prevents man-in-the-middle attacks that sniff traffic to discover LDAP credentials communicated in plaintext, which could compromise the security of the cluster.

The first step is to modify the configuration of the OpenLDAP server, as root, to expose LDAPS connectivity, we'll need to modify /etc/openldap/ldap.conf. Please recall that we created /etc/openldap/certs/myldap.field.hortonworks.com.cert in the How to Set Up OpenLDAP article

#TLS_CACERTDIR  /etc/openldap/certs
TLS_CACERT /etc/openldap/certs/myldap.field.hortonworks.com.cert
URI ldaps://myldap.field.hortonworks.com ldap://myldap.field.hortonworks.com
BASE dc=field,dc=hortonworks,dc=com

We also need to modify /etc/sysconfig/slapd :

SLAPD_URLS="ldapi:/// ldap:/// ldaps:///"

Then restart slapd:

systemctl restart slapd

You can confirm that slapd is listening on 636:

netstat -anp | grep 636

Finally, confirm TLS connectivity and secure ldapsearch (with the appropriate bind user and password from the previous articles):

# should succeed
openssl s_client -connect myldap.field.hortonworks.com:636 </dev/null


# should succeed
ldapsearch -H ldaps://myldap.field.hortonworks.com:636 -D cn=ldapadm,dc=field,dc=hortonworks,dc=com  -w $password -b "ou=People,dc=field,dc=hortonworks,dc=com"

The next step is the client-side configuration changes. Since we are using a self-signed certificate for the OpenLDAP server, we need to import this into the Java truststore, called cacerts, which is in /etc/pki/ca-trust/extracted/java on my CentOS 7 system.

Copy the myldap.field.hortonworks.com.cert file from the OpenLDAP server to the Zeppelin server (this file does not contain sensitive key material, only public keys), and run (making sure you set this certificate to be trusted):

keytool -import -alias myldap -file /etc/security/certificates/myldap.field.hortonworks.com.cert -keystore cacerts

Otherwise, you will see errors like 

Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed

Lastly, in Ambari, we just need to make one small change to the shiro.ini configuration in Zeppelin > Config > Advanced zeppelin-env > shiro_ini_content :

ldapRealm.contextFactory.url = ldaps://myldap.field.hortonworks.com:636

Note the protocol change to LDAPS and the port number change to 636.

To test, restart the Zeppelin service and confirm that users can still log in to the Zeppelin UI.

1,757 Views
webinar banner
Announcements
Community Announcements
April 2024 Community Highlights
Community Announcements
January 2024 Community Highlights
Product Announcements
[ANNOUNCE] Cloudera on Public Cloud Runtime 7.2.18 is GA!
What's New @ Cloudera
Cloudera Operational Database (COD) supports enhancements to...
Community Announcements
March 2024 Community Highlights
View More Announcements
Version history
Last update:
‎01-31-2017 11:19 PM
Updated by:
Guru
Contributors
meetups banner