AMBARI-18860. LDAPS must be used to communicate with an Active Directory when Kerberos is being enabled (BE).(vbrodetskyi)

ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/ADKerberosOperationHandler.java

@@ -149,6 +149,9 @@ public class ADKerberosOperationHandler extends KerberosOperationHandler {
     if (this.ldapUrl == null) {
       throw new KerberosKDCConnectionException("ldapUrl not provided");
     }
+    if (!this.ldapUrl.startsWith("ldaps://")) {
+      throw new KerberosKDCConnectionException("ldapUrl is not valid ldaps URL");
+    }
 
     this.principalContainerDn = kerberosConfiguration.get(KERBEROS_ENV_PRINCIPAL_CONTAINER_DN);
     if (this.principalContainerDn == null) {

ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/ADKerberosOperationHandlerTest.java

@@ -91,6 +91,20 @@ public class ADKerberosOperationHandlerTest extends KerberosOperationHandlerTest
     handler.close();
   }
 
+  @Test(expected = KerberosKDCConnectionException.class)
+  public void testOpenExceptionNoLdaps() throws Exception {
+    PrincipalKeyCredential kc = new PrincipalKeyCredential(DEFAULT_ADMIN_PRINCIPAL, "hello");
+    KerberosOperationHandler handler = new ADKerberosOperationHandler();
+    Map<String, String> kerberosEnvMap = new HashMap<String, String>() {
+      {
+        put(ADKerberosOperationHandler.KERBEROS_ENV_LDAP_URL, "ldap://this_wont_work");
+        put(ADKerberosOperationHandler.KERBEROS_ENV_PRINCIPAL_CONTAINER_DN, DEFAULT_PRINCIPAL_CONTAINER_DN);
+      }
+    };
+    handler.open(kc, DEFAULT_REALM, kerberosEnvMap);
+    handler.close();
+  }
+
   @Test(expected = KerberosAdminAuthenticationException.class)
   public void testTestAdministratorCredentialsIncorrectAdminPassword() throws Exception {
     PrincipalKeyCredential kc = new PrincipalKeyCredential(DEFAULT_ADMIN_PRINCIPAL, "wrong");