You are viewing a plain text version of this content. The canonical link for it is here.

Posted to common-issues@hadoop.apache.org by "Wei-Chiu Chuang (JIRA)" <ji...@apache.org> on 2016/03/18 18:22:33 UTC

[jira] [Updated] (HADOOP-12945) Support StartTLS encryption for LDAP group names mapping

     [ https://issues.apache.org/jira/browse/HADOOP-12945?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Wei-Chiu Chuang updated HADOOP-12945:
-------------------------------------
    Attachment: HADOOP-12945.001.patch

Rev01: Added code, docs and configs.
No test is included, as this new feature interacts with an external LDAP server, so it will be hard to unit test. However, I have built and tested it locally against my Active Directory server.

The feature is backward compatible. It continues to support LDAP over SSL through `hadoop.security.group.mapping.ldap.ssl`. It continues to support plain LDAP with no encryption, if both `hadoop.security.group.mapping.ldap.ssl` and `hadoop.security.group.mapping.ldap.starttls` are false.

> Support StartTLS encryption for LDAP group names mapping
> --------------------------------------------------------
>
>                 Key: HADOOP-12945
>                 URL: https://issues.apache.org/jira/browse/HADOOP-12945
>             Project: Hadoop Common
>          Issue Type: New Feature
>          Components: security
>    Affects Versions: 2.7.2
>            Reporter: Wei-Chiu Chuang
>            Assignee: Wei-Chiu Chuang
>              Labels: LDAP, SSL
>         Attachments: HADOOP-12945.001.patch
>
>
> The current LDAP group name resolution supports LDAP over SSL (LDAPS) encryption. However, LDAPS is considered deprecated. A better encryption protocol is LDAP Start TLS extension (RFC-2830).
> I added the StartTLS support using JNDI API, and have verified that it works against my Apache Directory Service.
> To enable LDAPS, set hadoop.security.group.mapping.ldap.ssl to true. To enable StartTLS, set hadoop.security.group.mapping.ldap.starttls to true. If both properties are true, this implementation will choose StartTLS over LDAPS, as the latter is considered deprecated.
> If StartTLS is chosen, no alternative port is necessary; otherwise, LDAPS often uses a different port (normally 636) than LDAP port (normally 389). By default, StartTLS performs DEFAULT host name verification. But this can be changed via hadoop.security.group.mapping.ldap.starttls.hostnameverifier. To disable host name verifier, set this value to ALLOW_ALL. Other valid values are: STRICT, STRICT_IE6, and DEFAULT_AND_LOCALHOST. (See {{SSLHostnameVerifier.java}} for more details)
> This patch will conflict with HADOOP-12862 (LDAP Group Mapping over SSL can not specify trust store) (status: patch available) because of the code proximity.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)