Details
Major Description
The current LDAP group name resolution supports LDAP over SSL (LDAPS) encryption. However, LDAPS is considered deprecated. A better encryption protocol is LDAP Start TLS extension (RFC-2830).
I added the StartTLS support using JNDI API, and have verified that it works against my Apache Directory Service.
To enable LDAPS, set hadoop.security.group.mapping.ldap.ssl to true. To enable StartTLS, set hadoop.security.group.mapping.ldap.starttls to true. If both properties are true, this implementation will choose StartTLS over LDAPS, as the latter is considered deprecated.
If StartTLS is chosen, no alternative port is necessary; otherwise, LDAPS often uses a different port (normally 636) than LDAP port (normally 389). By default, StartTLS performs DEFAULT host name verification. But this can be changed via hadoop.security.group.mapping.ldap.starttls.hostnameverifier. To disable host name verifier, set this value to ALLOW_ALL. Other valid values are: STRICT, STRICT_IE6, and DEFAULT_AND_LOCALHOST. (See SSLHostnameVerifier.java for more details)
This patch will conflict with HADOOP-12862 (LDAP Group Mapping over SSL can not specify trust store) (status: patch available) because of the code proximity.