Wei-Chiu Chuang created HADOOP-12945:
----------------------------------------
Summary: Support StartTLS encryption for LDAP group names mapping
Key: HADOOP-12945
URL: https://issues.apache.org/jira/browse/HADOOP-12945
Project: Hadoop Common
Issue Type: New Feature
Components: security
Affects Versions: 2.7.2
Reporter: Wei-Chiu Chuang
Assignee: Wei-Chiu Chuang
The current LDAP group name resolution supports LDAP over SSL (LDAPS)
encryption. However, LDAPS is considered deprecated. A better encryption
protocol is LDAP Start TLS extension (RFC-2830).
I added the StartTLS support using JNDI API, and have verified that it works
against my Apache Directory Service.
To enable LDAPS, set hadoop.security.group.mapping.ldap.ssl to true. To enable
StartTLS, set hadoop.security.group.mapping.ldap.starttls to true. If both
properties are true, this implementation will choose StartTLS over LDAPS, as
the latter is considered deprecated.
If StartTLS is chosen, no alternative port is necessary; otherwise, LDAPS often
uses a different port (normally 636) than LDAP port (normally 389). By default,
StartTLS performs DEFAULT host name verification. But this can be changed via
hadoop.security.group.mapping.ldap.starttls.hostnameverifier. To disable host
name verifier, set this value to ALLOW_ALL. Other valid values are: STRICT,
STRICT_IE6, and DEFAULT_AND_LOCALHOST. (See {{SSLHostnameVerifier.java}} for
more details)
This patch will conflict with HADOOP-12862 (LDAP Group Mapping over SSL can not
specify trust store) (status: patch available) because of the code proximity.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
