Created on 04-25-2018 10:19 PM - edited 09-16-2022 06:08 AM
I am trying to enable kerberos with existing Active Directory KDC.
Need to test ldaps url from RHEL Linux
Created 04-26-2018 12:11 AM
There are various tools you can use to test connectivity. To test the SSL connection and grab the SSL cert, you can use the OpenSSL s_client utility:
openssl s_client -connect HOST:PORT
To grab the SSL certificate you can use the following command:
openssl s_client -connect <AD_HOST_NAME_OR_IP_ADDRESS>:636 -showcerts </dev/null 2>/dev/null | openssl x509 -outform PEM > ad_ldap_server.pem Example: openssl s_client -connect ad_host.example.com:636 -showcerts </dev/null 2>/dev/null | openssl x509 -outform PEM > ad_ldap_server.pem
You can then import the ad_ldap_server.pem into Ambari's trust store. This is needed to ensure Ambari trusts the connection to the Active Directory. Later versions of Ambari require this (but the verification process can be turned off if you really want to).
To test the LDAP(S) interface, you can use the OpenLDAP ldapsearch utility. You may need to install the openldap-clients package to use it.
The following command can be used to test connectivity and list the distinguished names contained in the base DN:
ldapsearch -ZZ -h <AD_HOST_NAME_OR_IP_ADDRESS> -D <BIND_DN> -W -b <BASE_DN> dn -ZZ: Start TLS (for LDAPS) -h: IP/hostname of Active Directory server -D: BindDN or User principal name -W: Password (to be provided interactively) -b: Base DN for search (where in the LDAP tree to start looking) Example: ldapsearch -ZZ -h ad_host.example.com -D some_user@EXAMPLE.COM -W -b OU=users,DC=EXAMPLE,DC=COM dn
This ldapsearch command may fail if the host does not trust the SSL cert provided by the Active Directory. If so, you can either no use SSL/TLS, turn off OpenLDAP cert validation, or trust the cert.
To not use TLS/SSL, remove the -ZZ from the command line.
To skip certificate validation, edit the /etc/openldap/ldap.conf file and add the following line
TLS_REQCERT never
Created 04-26-2018 12:11 AM
There are various tools you can use to test connectivity. To test the SSL connection and grab the SSL cert, you can use the OpenSSL s_client utility:
openssl s_client -connect HOST:PORT
To grab the SSL certificate you can use the following command:
openssl s_client -connect <AD_HOST_NAME_OR_IP_ADDRESS>:636 -showcerts </dev/null 2>/dev/null | openssl x509 -outform PEM > ad_ldap_server.pem Example: openssl s_client -connect ad_host.example.com:636 -showcerts </dev/null 2>/dev/null | openssl x509 -outform PEM > ad_ldap_server.pem
You can then import the ad_ldap_server.pem into Ambari's trust store. This is needed to ensure Ambari trusts the connection to the Active Directory. Later versions of Ambari require this (but the verification process can be turned off if you really want to).
To test the LDAP(S) interface, you can use the OpenLDAP ldapsearch utility. You may need to install the openldap-clients package to use it.
The following command can be used to test connectivity and list the distinguished names contained in the base DN:
ldapsearch -ZZ -h <AD_HOST_NAME_OR_IP_ADDRESS> -D <BIND_DN> -W -b <BASE_DN> dn -ZZ: Start TLS (for LDAPS) -h: IP/hostname of Active Directory server -D: BindDN or User principal name -W: Password (to be provided interactively) -b: Base DN for search (where in the LDAP tree to start looking) Example: ldapsearch -ZZ -h ad_host.example.com -D some_user@EXAMPLE.COM -W -b OU=users,DC=EXAMPLE,DC=COM dn
This ldapsearch command may fail if the host does not trust the SSL cert provided by the Active Directory. If so, you can either no use SSL/TLS, turn off OpenLDAP cert validation, or trust the cert.
To not use TLS/SSL, remove the -ZZ from the command line.
To skip certificate validation, edit the /etc/openldap/ldap.conf file and add the following line
TLS_REQCERT never
Created 04-27-2018 01:40 AM
Thanks!! Robert Levas
I performed ldaps url testing. I have issue with ldaps connection on Linux. can you help me?
In RHEL
> ldapsearch is working with ldap (adserver : 3268)
> It is not working for ldaps (adserver : 636)
> But the same ldaps (adserver : 636) I am able to connect through ldp.exe on windows machine
> it look like my RHEL server not making connection with secured port (not sure)
Error
# ldapsearch -h adserver:636 -D user@domain -W -b DC=Examble,DC=com
Enter LDAP Password: ldap_result: Can't contact LDAP server (-1)
do you have any idea to resolve the issue?
Created 04-27-2018 12:24 PM
You appear to be using an Active Directory. In this case, you still want to use port 389 for LDAP and 636 for LDAPS unless there is a firewall in the way or the ports were changed on the Active Directory for some reason.
That said, it is possible that SSL was not set up for your Active Directory and therefore it is not listening for LDAPS requests on port 636. Make sure that LDAPS is enabled on your Active Directory.