So, our corporate folks are forcing us from the "direct to their active directory controller" to a new ldap proxy setup that's based on openldap.
Under the older active directory setup, I connect from ranger to ldaps://domain.com:636 and all is good. It works.
But under the new setup I need to get working, it's still "ldap" (not ldaps)... and port 389 (not 636). That's simple enough, BUT the connection requires TLS.
In an unrelated apache server, the new ldap bind setup was tweaked as like this (the magic sauce is the "TLS" option at end):
AuthLDAPURL "ldap://domain.company.com:389/dc=domain,dc=com?sAMAccountName?sub?(objectClass=*)" TLS
and similarly, using the standard unix-based "ldapsearch" tool, that has the "-ZZ" option-- to force the use of TLS.
But as for RANGER, I'm kinda stuck. Can anyone tell me how the heck I can get TLS negotiation working in RANGER? The "ldaptool" provided as a nifty gadget with ranger errors out thus:
javax.naming.AuthenticationNotSupportedException: [LDAP: error code 13 - TLS confidentiality required]
This is an error I have seen again and again- until (for example in apache, or ldapsearch..) I figured out how to enable TLS.
I am clueless as to what "option" to define or enable to force TLS negotiation for RANGER.
Any insight or or ideas would be appreciated!
Yes ranger is a "client". I haven't gotten to even trying ranger yet because I can't even get the "ldaptool" to work. See error above in terms of what ldaptool tells me. I'm runnig that on the ranger node.
@Kent Brodie If your LDAP is running on SSL then first validate if it is taking the connections using openssl
openssl s_client -connect domain.company.com:389
If that works fine then you will have to configure the Truststore in Ranger and see.
This is just TLS not full certificate-based SSL:
[root@garth01 ldaptool]# openssl s_client -connect myldapthing.company.com:389
140306741082000:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
no peer certificate available
No client certificate CA names sent
SSL handshake has read 0 bytes and written 289 bytes
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
No ALPN negotiated
Protocol : TLSv1.2
Cipher : 0000
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1534974457
Timeout : 300 (sec)
Verify return code: 0 (ok)