Cloudera Docs

LDAPS connection requirements

To comply with modern security standards (FIPS 140-3) and enforce Perfect Forward Secrecy (PFS), Cloudera Data Engineering requires specific configurations for LDAPS connections. Connections to LDAP servers using legacy or weak cipher suites fail with SSL handshake errors.

Supported protocols

You must use one of the following protocols:

  • TLS 1.2 (minimum required)
  • TLS 1.3 (recommended)

Required cipher suites

Your LDAP server must support Ephemeral key exchange algorithms to establish a connection. At least one of the following cipher suites must be enabled on your directory server:

  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

Unsupported configurations

The following configurations are not supported:

  • Static RSA key exchange (for example, TLS_RSA_WITH_AES_128_GCM_SHA256)
  • Weak protocols, such as SSLv3, TLS 1.0, and TLS 1.1
  • Weak ciphers, such as RC4, 3DES, DES, and NULL