Wei-Chiu Chuang created HADOOP-12862:
----------------------------------------
Summary: LDAP Group Mapping over SSL can not specify trust store
Key: HADOOP-12862
URL: https://issues.apache.org/jira/browse/HADOOP-12862
Project: Hadoop Common
Issue Type: Bug
Reporter: Wei-Chiu Chuang
In a secure environment, SSL is used to encrypt LDAP request for group mapping
resolution.
We (+[~yoderme], +[~tgrayson]) have found that its implementation is strange.
For information, Hadoop name node, as an LDAP client, talks to a LDAP server to
resolve the group mapping of a user. In the case of LDAP over SSL, a typical
scenario is to establish one-way authentication (the client verifies the
server's certificate is real) by storing the server's certificate in the
client's truststore.
A rarer scenario is to establish two-way authentication: in addition to store
truststore for the client to verify the server, the server also verifies the
client's certificate is real, and the client stores its own certificate in its
keystore.
However, the current implementation for LDAP over SSL does not seem to be
correct in that it only configures keystore but no truststore (so LDAP server
can verify Hadoop's certificate, but Hadoop may not be able to verify LDAP
server's certificate)
I think there should an extra pair of properties to specify the
truststore/password for LDAP server, and use that to configure system
properties {{javax.net.ssl.trustStore}}/{{javax.net.ssl.trustStorePassword}}
I am a security layman so my words can be imprecise. But I hope this makes
sense.
Oracle's SSL LDAP documentation:
http://docs.oracle.com/javase/jndi/tutorial/ldap/security/ssl.html
JSSE reference guide:
http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
