Secure binds for LDAP on FreeIPA instances

By default, secure authentication is turned on for LDAP (port 636) on FreeIPA instances when creating a new environment. For existing environments, the secure authentication for LDAP is configured during upgrades. This means that in a Cloudera environment the secure authentication is automatically used for FreeIPA, Data Lake and Cloudera Data Hub.

When connecting to LDAP outside from a Cloudera environment, the FreeIPA CA certificate must be downloaded, and either added to the trust store of the machine or provided to the ldapsearch command/client using CLI.

  1. Navigate to your environment in Management Console.
  2. Select FreeIPA.
  3. Click Get FreeIPA Certificate:
  4. Use ldapsearch with the certificate as shown in the following example:
    LDAPTLS_CACERT=$(pwd)/demo-awsenv-uswest1.crt ldapsearch -H ldaps://ipaserver0.demo.xcu2-8y8x.wl.cloudera.site:636 -D "uid=fakemockuser1,cn=users,cn=accounts,dc=demo,dc=xcu2-8y8x,dc=wl,dc=cloudera,dc=site" -W -b "cn=u
    sers,cn=accounts,dc=demo,dc=xcu2-8y8x,dc=wl,dc=cloudera,dc=site" "(objectclass=*)" dn