Community Articles

LDAP security options

LDAP over SSL

Traditionally, LDAP connection is wrapped with SSL/TLS, and via a separate service port, normally 636. The protocol is ldaps://. To be aware, it’s not just over SSL, depends on configuration, can over TLS as well.

LDAP with StartTLS

Alternatively, StartTLS extended operation enable encrypted connection after the initial unencrypted connection, via the same plain ldap port, normally 389. If you don’t configure properly, it could be over SSL, not always with TLS. This protocol is new, normally is used to upgrade the plain ldap port 389 to be secure. But not all customer have configured it in AD/LDAP server. Most common cases are still use ldaps for secure ldap connection. So this article is focusing on LDAPS.

Components support LDAPS

Most of HDP/HDF components support LDAPS. Ambari, NiFi, Ranger Usersync, Ranger Admin, Zeppelin, Knox. But Atlas still only supports LDAP.

General Configure LDAPS Steps

• Verify LDAPS certificate

To connect to ldaps service, first thing we need to get the AD/LDAPS CA certificate. And should verify it’s the correct certificate.

$ openssl s_client -CAfile ${LDAPS_SERVER_CA_CERTIFICATE_FILE} -connect ${LDAPS_SERVER_FQDN}:636 -showcerts -verify 32

For example

$ openssl s_client -CAfile ./AD-CA.crt -connect ad1.example.com:636 -showcerts -verify 32

Expect return "Verify return code: 0 (ok)". Otherwise need to check with the AD/LDAP team to find the correct certificate file or check the certificate file format.

• Test ldapsearch

Then we need to use the certificate and ldap bind account to test ldapsearch, to verify we have the correct credential of the binding account.

$ LDAPTLS_CACERT=${LDAPS_SERVER_CA_CERTIFICATE_FILE} -H ldaps://${LDAPS_SERVER_FQDN}:636 -D ${LDAP_BIND_USER_ACCOUNT} -b ${BASE_OU} "(&(objectclass=person)(sAMAccountName=*))"

For example

$ LDAPTLS_CACERT=./AD-CA.crt ldapsearch -H ldaps://ad1.example.com:636 -D "hadoopldapuser@datalake.hadoop.internal" -b "OU=Hadoop,DC=DataLake,DC=Hadoop,DC=Internal" "(&(objectclass=person)(sAMAccountName=*))"

Expect return some AD/LDAP accounts.

• Add the certificate into Truststore

$ keytool -import -file ${LDAPS_SERVER_CA_CERTIFICATE_FILE} -alias LDAPS-CA -keystore truststore.jks

For example

$ keytool -import -file ./AD-CA.crt -alias LDAPS-CA -keystore truststore.jks

• Configure components truststore and ldaps

Components have slightly different configure for the ldaps. But normally need to configure the truststore and truststore password, and base OU, bind account, search filters.

Detail configurations will be discussed in other articles.