If the LDAP server certificate is signed by a trusted Certificate Authority, Ambari should accept it without modification. If the LDAP server certificate is self-signed, or is signed by an unrecognized certificate authority such as an internal certificate authority, you must set up a secure directory access protocol (LDAPS). Use the following procedure to set up LDAPS:
On your LDAP server, do the following steps:
Edit
/etc/sysconfig/ldap. In the line havingSLAPD_LDAPS=no, edit the value toSLAPD_LDAPS=yescd /etc/pki/tls/certs
make slapd.pem
At the prompt, press "enter" 5 times. Then enter the FQDN for the ldap server.
chown ldap slapd.pem
Edit
/etc/openldap/slapd.conf. Uncomment the following three lines:# TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt # TLSCertificateFile /etc/pki/tls/certs/slapd.pem # TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem
Edit
/etc/openldap/ldap.conf. Add the following line:TLS_REQCERT allowservice slapd restart
Test by executing:
ldapsearch -H ldaps://ldap.apache.org:636 -b "dc=apache,dc=org" -D "uid=hdfs,ou=people,ou=dev,dc=apache,dc=org" -w hdfs "(uid=hdfs)"
On all LDAP clients:
Edit
/etc/openldap/ldap.conf. Add the following line:Add TLS_REQCERT allowOn the Ambari server:
cd root cp /etc/pki/tls/certs/slapd.pem . openssl x509 -in slapd.pem -out slapd.crt /usr/jdk64/jdk1.6.0_31/jre/bin/keytool -import -trustcacerts -alias root -file /root/slapd.crt -keystore keystore.jks
