[
https://issues.apache.org/jira/browse/HADOOP-12945?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Wei-Chiu Chuang updated HADOOP-12945:
-------------------------------------
Attachment: HADOOP-12945.002.patch
Rev02: fixed checkstyle warning.
> Support StartTLS encryption for LDAP group names mapping
> --------------------------------------------------------
>
> Key: HADOOP-12945
> URL: https://issues.apache.org/jira/browse/HADOOP-12945
> Project: Hadoop Common
> Issue Type: New Feature
> Components: security
> Affects Versions: 2.7.2
> Reporter: Wei-Chiu Chuang
> Assignee: Wei-Chiu Chuang
> Labels: LDAP, SSL
> Attachments: HADOOP-12945.001.patch, HADOOP-12945.002.patch
>
>
> The current LDAP group name resolution supports LDAP over SSL (LDAPS)
> encryption. However, LDAPS is considered deprecated. A better encryption
> protocol is LDAP Start TLS extension (RFC-2830).
> I added the StartTLS support using JNDI API, and have verified that it works
> against my Apache Directory Service.
> To enable LDAPS, set hadoop.security.group.mapping.ldap.ssl to true. To
> enable StartTLS, set hadoop.security.group.mapping.ldap.starttls to true. If
> both properties are true, this implementation will choose StartTLS over
> LDAPS, as the latter is considered deprecated.
> If StartTLS is chosen, no alternative port is necessary; otherwise, LDAPS
> often uses a different port (normally 636) than LDAP port (normally 389). By
> default, StartTLS performs DEFAULT host name verification. But this can be
> changed via hadoop.security.group.mapping.ldap.starttls.hostnameverifier. To
> disable host name verifier, set this value to ALLOW_ALL. Other valid values
> are: STRICT, STRICT_IE6, and DEFAULT_AND_LOCALHOST. (See
> {{SSLHostnameVerifier.java}} for more details)
> This patch will conflict with HADOOP-12862 (LDAP Group Mapping over SSL can
> not specify trust store) (status: patch available) because of the code
> proximity.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
