Cloudera Community

Community Articles

Find and share helpful community-sourced technical articles.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

Integration with LDAPS

avatar
author-rank wbu author-rank
Expert Contributor

Created on ‎04-25-2017 08:16 PM - edited ‎09-16-2022 01:39 AM

LDAP security options

LDAP over SSL

Traditionally, LDAP connection is wrapped with SSL/TLS, and via a separate service port, normally 636. The protocol is ldaps://. To be aware, it’s not just over SSL, depends on configuration, can over TLS as well.

LDAP with StartTLS

Alternatively, StartTLS extended operation enable encrypted connection after the initial unencrypted connection, via the same plain ldap port, normally 389. If you don’t configure properly, it could be over SSL, not always with TLS. This protocol is new, normally is used to upgrade the plain ldap port 389 to be secure. But not all customer have configured it in AD/LDAP server. Most common cases are still use ldaps for secure ldap connection. So this article is focusing on LDAPS.

Components support LDAPS

Most of HDP/HDF components support LDAPS. Ambari, NiFi, Ranger Usersync, Ranger Admin, Zeppelin, Knox. But Atlas still only supports LDAP.

General Configure LDAPS Steps

  • Verify LDAPS certificate

To connect to ldaps service, first thing we need to get the AD/LDAPS CA certificate. And should verify it’s the correct certificate.

$ openssl s_client -CAfile ${LDAPS_SERVER_CA_CERTIFICATE_FILE} -connect ${LDAPS_SERVER_FQDN}:636 -showcerts -verify 32

For example

$ openssl s_client -CAfile ./AD-CA.crt -connect ad1.example.com:636 -showcerts -verify 32

Expect return "Verify return code: 0 (ok)". Otherwise need to check with the AD/LDAP team to find the correct certificate file or check the certificate file format.

  • Test ldapsearch

Then we need to use the certificate and ldap bind account to test ldapsearch, to verify we have the correct credential of the binding account.

$ LDAPTLS_CACERT=${LDAPS_SERVER_CA_CERTIFICATE_FILE} -H ldaps://${LDAPS_SERVER_FQDN}:636 -D ${LDAP_BIND_USER_ACCOUNT} -b ${BASE_OU} "(&(objectclass=person)(sAMAccountName=*))"

For example

$ LDAPTLS_CACERT=./AD-CA.crt ldapsearch -H ldaps://ad1.example.com:636 -D "hadoopldapuser@datalake.hadoop.internal" -b "OU=Hadoop,DC=DataLake,DC=Hadoop,DC=Internal" "(&(objectclass=person)(sAMAccountName=*))"

Expect return some AD/LDAP accounts.

  • Add the certificate into Truststore
$ keytool -import -file ${LDAPS_SERVER_CA_CERTIFICATE_FILE} -alias LDAPS-CA -keystore truststore.jks

For example

$ keytool -import -file ./AD-CA.crt -alias LDAPS-CA -keystore truststore.jks
  • Configure components truststore and ldaps

Components have slightly different configure for the ldaps. But normally need to configure the truststore and truststore password, and base OU, bind account, search filters.

Detail configurations will be discussed in other articles.

4,496 Views
Comments

Re: Integration with LDAPS

avatar
author-rank shyam_kf657
Contributor

Created on ‎07-31-2019 08:16 PM

@Wendell Bu thanks for your article. At the end you mentioned that you will discuss the detailed configuration in other articles. Can you please share the other articles.

Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements
Version history
Last update:
‎09-16-2022 01:39 AM
Updated by:
Expert Contributor Expert Contributor
Contributors