smiklosovic
commented
5 years ago Hi @bmonteiro ,
as far as I know, all it takes to enable secure communication to LDAP server (if it supports it itself) is to import the certificate of your LDAP server into truststore of Cassandra and start that node.
Protocol for LDAP server will be ldaps and port would change the most probably too (e.g. 636 but it is for sure deployment specific) so you have to reflect this change in ldap.properties file.
In this particular example (2), certificate is in /container/service/slapd/assets/certs/ca.crt so import would be like:
keytool -importcert -file ca.crt -keystore cassandra-truststore.jks -storepass mypass(1) https://github.com/osixia/docker-openldap (2) https://github.com/osixia/docker-openldap#tls
bmonteiro
Hi @smiklosovic, Can you please update the docs so we could use LDAPS with self-signed Root CA ? We definitely won't use LDAP 389 because of the plaintext password and also most of the companies have their private PKI. Usually the Root CA is passed via some properties and sometimes also need to be part of the CACerts used by Java. Please let me know if more details are needed. Regards, Bruno