Bug #9858

Updated by Dominic Cleal over 6 years ago

*This issue is currently embargoed and may not be discussed in public. Keep comments to this ticket or the foreman-security mailing list.* Cloned from
Description of problem:

Version-Release number of selected component (if applicable):
Red Hat Satellite 6.0.7
Active Directory

When making an SSL connection How reproducible:

to an Reproduce:
1. Setup up a
LDAP authentication Authentication source to Active Directory
2. Create a user
in Foreman, AD
3. Login with
the remote server certificate is accepted without any verification against known certificate authorities. AD user on satellite 6 webUI

This can allow the LDAP connection between Foreman Actual results:
Fails with incorrect user
and the LDAP server to be attacked, and a different LDAP server could be contacted to authenticate users to Foreman. task is hung at Actions::Pulp::User::Create (error) Actions::Pulp::Superuser::Add (pending)

Expected behaviour is that the certificate authority for the results:
AD authentication with Satellite 6 should work with
LDAP server should be stored and trusted somewhere, e.g. the system trust store (/etc/pki/tls/certs/ca-bundle.crt, or via update-ca-certificates).

Affects Foreman 1.3.0 or higher - since Puppet was removed as a dependency, the default SSL behaviour went back to no verification.

Additional info: