You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-issues@hadoop.apache.org by "Wei-Chiu Chuang (JIRA)" <ji...@apache.org> on 2016/03/18 18:17:33 UTC
[jira] [Created] (HADOOP-12945) Support StartTLS encryption for
LDAP group names mapping
Wei-Chiu Chuang created HADOOP-12945:
----------------------------------------
Summary: Support StartTLS encryption for LDAP group names mapping
Key: HADOOP-12945
URL: https://issues.apache.org/jira/browse/HADOOP-12945
Project: Hadoop Common
Issue Type: New Feature
Components: security
Affects Versions: 2.7.2
Reporter: Wei-Chiu Chuang
Assignee: Wei-Chiu Chuang
The current LDAP group name resolution supports LDAP over SSL (LDAPS) encryption. However, LDAPS is considered deprecated. A better encryption protocol is LDAP Start TLS extension (RFC-2830).
I added the StartTLS support using JNDI API, and have verified that it works against my Apache Directory Service.
To enable LDAPS, set hadoop.security.group.mapping.ldap.ssl to true. To enable StartTLS, set hadoop.security.group.mapping.ldap.starttls to true. If both properties are true, this implementation will choose StartTLS over LDAPS, as the latter is considered deprecated.
If StartTLS is chosen, no alternative port is necessary; otherwise, LDAPS often uses a different port (normally 636) than LDAP port (normally 389). By default, StartTLS performs DEFAULT host name verification. But this can be changed via hadoop.security.group.mapping.ldap.starttls.hostnameverifier. To disable host name verifier, set this value to ALLOW_ALL. Other valid values are: STRICT, STRICT_IE6, and DEFAULT_AND_LOCALHOST. (See {{SSLHostnameVerifier.java}} for more details)
This patch will conflict with HADOOP-12862 (LDAP Group Mapping over SSL can not specify trust store) (status: patch available) because of the code proximity.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)