[jira] [Updated] (HADOOP-12945) Support StartTLS encryption for LDAP group names mapping

Sun, 20 Mar 2016 06:46:02 -0700 

     [ 
https://issues.apache.org/jira/browse/HADOOP-12945?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Wei-Chiu Chuang updated HADOOP-12945:
-------------------------------------
    Attachment: HADOOP-12945.001.patch

Rev01: Added code, docs and configs.
No test is included, as this new feature interacts with an external LDAP 
server, so it will be hard to unit test. However, I have built and tested it 
locally against my Active Directory server.

The feature is backward compatible. It continues to support LDAP over SSL 
through `hadoop.security.group.mapping.ldap.ssl`. It continues to support plain 
LDAP with no encryption, if both `hadoop.security.group.mapping.ldap.ssl` and 
`hadoop.security.group.mapping.ldap.starttls` are false.

> Support StartTLS encryption for LDAP group names mapping
> --------------------------------------------------------
>
>                 Key: HADOOP-12945
>                 URL: https://issues.apache.org/jira/browse/HADOOP-12945
>             Project: Hadoop Common
>          Issue Type: New Feature
>          Components: security
>    Affects Versions: 2.7.2
>            Reporter: Wei-Chiu Chuang
>            Assignee: Wei-Chiu Chuang
>              Labels: LDAP, SSL
>         Attachments: HADOOP-12945.001.patch
>
>
> The current LDAP group name resolution supports LDAP over SSL (LDAPS) 
> encryption. However, LDAPS is considered deprecated. A better encryption 
> protocol is LDAP Start TLS extension (RFC-2830).
> I added the StartTLS support using JNDI API, and have verified that it works 
> against my Apache Directory Service.
> To enable LDAPS, set hadoop.security.group.mapping.ldap.ssl to true. To 
> enable StartTLS, set hadoop.security.group.mapping.ldap.starttls to true. If 
> both properties are true, this implementation will choose StartTLS over 
> LDAPS, as the latter is considered deprecated.
> If StartTLS is chosen, no alternative port is necessary; otherwise, LDAPS 
> often uses a different port (normally 636) than LDAP port (normally 389). By 
> default, StartTLS performs DEFAULT host name verification. But this can be 
> changed via hadoop.security.group.mapping.ldap.starttls.hostnameverifier. To 
> disable host name verifier, set this value to ALLOW_ALL. Other valid values 
> are: STRICT, STRICT_IE6, and DEFAULT_AND_LOCALHOST. (See 
> {{SSLHostnameVerifier.java}} for more details)
> This patch will conflict with HADOOP-12862 (LDAP Group Mapping over SSL can 
> not specify trust store) (status: patch available) because of the code 
> proximity.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to