2. Optional: Set Up LDAPS

If the LDAP server certificate is signed by a trusted Certificate Authority, Ambari should accept it without modification. If the LDAP server certificate is self-signed, or is signed by an unrecognized certificate authority such as an internal certificate authority, you must set up a secure directory access protocol (LDAPS). Use the following procedure to set up LDAPS:

  1. On your LDAP server, do the following steps:

    1. Edit /etc/sysconfig/ldap. In the line having SLAPD_LDAPS=no, edit the value to SLAPD_LDAPS=yes

    2. cd /etc/pki/tls/certs
    3. make slapd.pem

      At the prompt, press "enter" 5 times. Then enter the FQDN for the ldap server.

    4. chown ldap slapd.pem
    5. Edit /etc/openldap/slapd.conf. Uncomment the following three lines:

      # TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
      # TLSCertificateFile /etc/pki/tls/certs/slapd.pem
      # TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem 
    6. Edit /etc/openldap/ldap.conf. Add the following line: TLS_REQCERT allow

    7. service slapd restart
    8. Test by executing:

      ldapsearch -H ldaps://ldap.apache.org:636 -b "dc=apache,dc=org" -D "uid=hdfs,ou=people,ou=dev,dc=apache,dc=org" -w hdfs "(uid=hdfs)"
  2. On all LDAP clients:

    Edit /etc/openldap/ldap.conf. Add the following line:Add TLS_REQCERT allow

  3. On the Ambari server:

    cd root
    cp /etc/pki/tls/certs/slapd.pem .
    openssl x509 -in slapd.pem -out slapd.crt
    /usr/jdk64/jdk1.6.0_31/jre/bin/keytool -import -trustcacerts -alias root -file /root/slapd.crt -keystore keystore.jks