Project

General

Profile

Actions

Feature #36026

open

Make Foreman support StartTLS on LDAP connections

Added by Dirk Götz about 1 year ago. Updated 12 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Authentication
Target version:
-
Difficulty:
Triaged:
No
Fixed in Releases:
Found in Releases:

Description

LDAP with StartTLS should be favoured over LDAPs, but not all agree to this, so Foreman needs to support both.

github.com/katello/ldap_fluff supports both with LDAPs being simple_tls and LDAP with StartTLS being start_tls.

I changed the support for a customer by simply switch the option at https://github.com/theforeman/foreman/blob/develop/app/models/auth_sources/auth_source_ldap.rb#L100, so Foreman works fine using StartTLS.

To implement this in the UI I see two option:
- Have only one checkbox like now, but change the description to TLS and if the port is a standard LDAP port (389 or 3268) use start_tls, if it is an LDAPs port (636 or 3269) use simple_tls. Disadvantage we do not know how to handle custom ports!
- Add another chechbox for StartTLS or better some selection between unencrypted, StartTLS and LDAPs (with StartTLS being the default). Disadvantage is a user more likely mixes things up or we need a more complicated way to provide sane defaults (like now when checking the LDAPs box it switches the port to 636)!

The old issue for this was closed because of inactivity: https://projects.theforeman.org/issues/7016
Switching the implementation silently had to be reverted, as support for both is needed: https://projects.theforeman.org/issues/7003
For the need see the community post: https://community.theforeman.org/t/ldap-auth-failing-for-bind-user/32037


Related issues 2 (0 open2 closed)

Related to Foreman - Bug #7016: Make Foreman support StartTLSClosedActions
Related to Foreman - Bug #7003: Unable to connect to AD through ldap login moduleClosedDaniel Lobato Garcia08/08/2014Actions
Actions #1

Updated by Ewoud Kohl van Wijngaarden about 1 year ago

I would be in favor of being explicit because it supports custom ports, but you an "auto" option which does the right thing with standard ports would make it easy for users. Most users wouldn't need to think about it. Another common approach I've seen is that selecting the encryption method also changes the port in the form.

Actions #2

Updated by Ewoud Kohl van Wijngaarden about 1 year ago

  • Related to Bug #7016: Make Foreman support StartTLS added
Actions #3

Updated by Ewoud Kohl van Wijngaarden about 1 year ago

  • Related to Bug #7003: Unable to connect to AD through ldap login module added
Actions #4

Updated by Ewoud Kohl van Wijngaarden 12 months ago

  • Subject changed from Make Foreman support StartTLS to Make Foreman support StartTLS on LDAP connections
Actions

Also available in: Atom PDF