LDAPS is a secure protocol that uses TLS to assure authenticity, confidentiality, and integrity of communications. This prevents man-in-the-middle attacks that sniff traffic to discover LDAP credentials communicated in plaintext, which could compromise the security of the cluster.
The first step is to modify the configuration of the OpenLDAP server, as root, to expose LDAPS connectivity, we'll need to modify /etc/openldap/ldap.conf. Please recall that we created /etc/openldap/certs/myldap.field.hortonworks.com.cert in the How to Set Up OpenLDAP article
URI ldaps://myldap.field.hortonworks.com ldap://myldap.field.hortonworks.com
We also need to modify /etc/sysconfig/slapd :
SLAPD_URLS="ldapi:/// ldap:/// ldaps:///"
Then restart slapd:
systemctl restart slapd
You can confirm that slapd is listening on 636:
netstat -anp | grep 636
Finally, confirm TLS connectivity and secure ldapsearch (with the appropriate bind user and password from the previous articles):
# should succeed
openssl s_client -connect myldap.field.hortonworks.com:636 </dev/null
# should succeed
ldapsearch -H ldaps://myldap.field.hortonworks.com:636 -D cn=ldapadm,dc=field,dc=hortonworks,dc=com -w $password -b "ou=People,dc=field,dc=hortonworks,dc=com"
The next step is the client-side configuration changes. Since we are using a self-signed certificate for the OpenLDAP server, we need to import this into the Java truststore, called cacerts, which is in /etc/pki/ca-trust/extracted/java on my CentOS 7 system.
Copy the myldap.field.hortonworks.com.cert file from the OpenLDAP server to the Zeppelin server (this file does not contain sensitive key material, only public keys), and run (making sure you set this certificate to be trusted):