[jira] [Commented] (HADOOP-12862) LDAP Group Mapping over SSL can not specify trust store

Wed, 02 Mar 2016 12:18:59 -0800 

    [ 
https://issues.apache.org/jira/browse/HADOOP-12862?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15176388#comment-15176388
 ] 

Mike Yoder commented on HADOOP-12862:
-------------------------------------

Makes perfect sense here. Thanks for the investigation; I actually thought the 
"keystore" was misnamed, but you're right that it really is being used as a 
keystore. I haven't heard of an AD server requiring client-side certs before... 
so you're right, we need new config parameters 
hadoop.security.group.mapping.ldap.ssl.truststore and friends.


> LDAP Group Mapping over SSL can not specify trust store
> -------------------------------------------------------
>
>                 Key: HADOOP-12862
>                 URL: https://issues.apache.org/jira/browse/HADOOP-12862
>             Project: Hadoop Common
>          Issue Type: Bug
>            Reporter: Wei-Chiu Chuang
>
> In a secure environment, SSL is used to encrypt LDAP request for group 
> mapping resolution.
> We (+[~yoderme], +[~tgrayson]) have found that its implementation is strange.
> For information, Hadoop name node, as an LDAP client, talks to a LDAP server 
> to resolve the group mapping of a user. In the case of LDAP over SSL, a 
> typical scenario is to establish one-way authentication (the client verifies 
> the server's certificate is real) by storing the server's certificate in the 
> client's truststore.
> A rarer scenario is to establish two-way authentication: in addition to store 
> truststore for the client to verify the server, the server also verifies the 
> client's certificate is real, and the client stores its own certificate in 
> its keystore.
> However, the current implementation for LDAP over SSL does not seem to be 
> correct in that it only configures keystore but no truststore (so LDAP server 
> can verify Hadoop's certificate, but Hadoop may not be able to verify LDAP 
> server's certificate)
> I think there should an extra pair of properties to specify the 
> truststore/password for LDAP server, and use that to configure system 
> properties {{javax.net.ssl.trustStore}}/{{javax.net.ssl.trustStorePassword}}
> I am a security layman so my words can be imprecise. But I hope this makes 
> sense.
> Oracle's SSL LDAP documentation: 
> http://docs.oracle.com/javase/jndi/tutorial/ldap/security/ssl.html
> JSSE reference guide: 
> http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to