Return-Path: X-Original-To: apmail-hadoop-common-issues-archive@minotaur.apache.org Delivered-To: apmail-hadoop-common-issues-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 382BA189E9 for ; Wed, 2 Mar 2016 20:27:19 +0000 (UTC) Received: (qmail 47009 invoked by uid 500); 2 Mar 2016 20:27:18 -0000 Delivered-To: apmail-hadoop-common-issues-archive@hadoop.apache.org Received: (qmail 46964 invoked by uid 500); 2 Mar 2016 20:27:18 -0000 Mailing-List: contact common-issues-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: common-issues@hadoop.apache.org Delivered-To: mailing list common-issues@hadoop.apache.org Received: (qmail 46932 invoked by uid 99); 2 Mar 2016 20:27:18 -0000 Received: from arcas.apache.org (HELO arcas) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 02 Mar 2016 20:27:18 +0000 Received: from arcas.apache.org (localhost [127.0.0.1]) by arcas (Postfix) with ESMTP id 6416D2C1F5D for ; Wed, 2 Mar 2016 20:27:18 +0000 (UTC) Date: Wed, 2 Mar 2016 20:27:18 +0000 (UTC) From: "Wei-Chiu Chuang (JIRA)" To: common-issues@hadoop.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Assigned] (HADOOP-12862) LDAP Group Mapping over SSL can not specify trust store MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/HADOOP-12862?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Wei-Chiu Chuang reassigned HADOOP-12862: ---------------------------------------- Assignee: Wei-Chiu Chuang > LDAP Group Mapping over SSL can not specify trust store > ------------------------------------------------------- > > Key: HADOOP-12862 > URL: https://issues.apache.org/jira/browse/HADOOP-12862 > Project: Hadoop Common > Issue Type: Bug > Reporter: Wei-Chiu Chuang > Assignee: Wei-Chiu Chuang > > In a secure environment, SSL is used to encrypt LDAP request for group mapping resolution. > We (+[~yoderme], +[~tgrayson]) have found that its implementation is strange. > For information, Hadoop name node, as an LDAP client, talks to a LDAP server to resolve the group mapping of a user. In the case of LDAP over SSL, a typical scenario is to establish one-way authentication (the client verifies the server's certificate is real) by storing the server's certificate in the client's truststore. > A rarer scenario is to establish two-way authentication: in addition to store truststore for the client to verify the server, the server also verifies the client's certificate is real, and the client stores its own certificate in its keystore. > However, the current implementation for LDAP over SSL does not seem to be correct in that it only configures keystore but no truststore (so LDAP server can verify Hadoop's certificate, but Hadoop may not be able to verify LDAP server's certificate) > I think there should an extra pair of properties to specify the truststore/password for LDAP server, and use that to configure system properties {{javax.net.ssl.trustStore}}/{{javax.net.ssl.trustStorePassword}} > I am a security layman so my words can be imprecise. But I hope this makes sense. > Oracle's SSL LDAP documentation: http://docs.oracle.com/javase/jndi/tutorial/ldap/security/ssl.html > JSSE reference guide: http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html -- This message was sent by Atlassian JIRA (v6.3.4#6332)