Feature #36026
openMake Foreman support StartTLS on LDAP connections
Description
LDAP with StartTLS should be favoured over LDAPs, but not all agree to this, so Foreman needs to support both.
github.com/katello/ldap_fluff supports both with LDAPs being simple_tls and LDAP with StartTLS being start_tls.
I changed the support for a customer by simply switch the option at https://github.com/theforeman/foreman/blob/develop/app/models/auth_sources/auth_source_ldap.rb#L100, so Foreman works fine using StartTLS.
To implement this in the UI I see two option:
- Have only one checkbox like now, but change the description to TLS and if the port is a standard LDAP port (389 or 3268) use start_tls, if it is an LDAPs port (636 or 3269) use simple_tls. Disadvantage we do not know how to handle custom ports!
- Add another chechbox for StartTLS or better some selection between unencrypted, StartTLS and LDAPs (with StartTLS being the default). Disadvantage is a user more likely mixes things up or we need a more complicated way to provide sane defaults (like now when checking the LDAPs box it switches the port to 636)!
The old issue for this was closed because of inactivity: https://projects.theforeman.org/issues/7016
Switching the implementation silently had to be reverted, as support for both is needed: https://projects.theforeman.org/issues/7003
For the need see the community post: https://community.theforeman.org/t/ldap-auth-failing-for-bind-user/32037
Updated by Ewoud Kohl van Wijngaarden over 1 year ago
I would be in favor of being explicit because it supports custom ports, but you an "auto" option which does the right thing with standard ports would make it easy for users. Most users wouldn't need to think about it. Another common approach I've seen is that selecting the encryption method also changes the port in the form.
Updated by Ewoud Kohl van Wijngaarden over 1 year ago
- Related to Bug #7016: Make Foreman support StartTLS added
Updated by Ewoud Kohl van Wijngaarden over 1 year ago
- Related to Bug #7003: Unable to connect to AD through ldap login module added
Updated by Ewoud Kohl van Wijngaarden over 1 year ago
- Subject changed from Make Foreman support StartTLS to Make Foreman support StartTLS on LDAP connections