Traditionally, LDAP connection is wrapped with SSL/TLS, and
via a separate service port, normally 636. The protocol is ldaps://. To be
aware, it’s not just over SSL, depends on configuration, can over TLS as well.
LDAP with StartTLS
Alternatively, StartTLS extended operation enable encrypted
connection after the initial unencrypted connection, via the same plain ldap
port, normally 389. If you don’t configure properly, it could be over SSL, not
always with TLS. This protocol is new, normally is used to upgrade the plain
ldap port 389 to be secure. But not all customer have configured it in AD/LDAP
server. Most common cases are still use ldaps for secure ldap connection. So this
article is focusing on LDAPS.
Components support LDAPS
Most of HDP/HDF components support LDAPS. Ambari,
NiFi, Ranger Usersync, Ranger Admin, Zeppelin, Knox. But Atlas still only supports LDAP.
General Configure LDAPS Steps
Verify LDAPS certificate
To connect to ldaps service, first thing we need to get the AD/LDAPS
CA certificate. And should verify it’s the correct certificate.