OpenStack Identity (keystone)

TLS support for LDAP back end

Bug #1040115 reported by Adam Young
24
This bug affects 4 people
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
High
Brad Topol
OpenStack Identity (keystone) 2013.2 "havana"

Bug Description

There are two different ways to secure LDAP traffic: LDAPS and TLS. LDAPS is currently supported. However, Active Directory is going to require TLS support.

We need some way to specify the certificate. In nss_ldap syntax, this is one of:

tls_cacertfile /etc/ssl/ca.cert
tls_cacertdir /etc/openldap/cacerts

Additionally, you need a directive to state whether you intent to use SSL or START_TLS. Have an 'ldaps' URI is not enough, because that wouldn't leave you with a way to specify that you wish to connect to unencrypted port 389 and issue a START_TLS command. nss_ldap does one of:

ssl on
ssl start_tls

You need a way to specify whether the cert is required and should be validated:

tls_reqcert never | demand | allow

Have a look at the TLS functions of python-ldap:

http://www.python-ldap.org/doc/html/ldap.html#tls-options

See original description
Adam Young (ayoung)
Changed in keystone:
assignee: nobody → Adam Young (ayoung)
Joseph Heck (heckj)
Changed in keystone:
status: New → Triaged
importance: Undecided → High
Revision history for this message
Adam Young (ayoung) wrote :

LDAPS seems to work out of the box, provided the CA cert is set up properly.

I got it to work by doing this:

http://adam.younglogic.com/2012/09/ldaps-against-a-freeipa-server/

And changing the URL in the keystone.conf file to ldaps://

Adam Young (ayoung)
description: updated
summary: - LDAPS and TLS support
+ TLS support for LDAP back end
Revision history for this message
Brad Topol (btopol) wrote :

Adam with regards to "You need a way to specify whether the cert is required and should be validated:" Are these values that can just be pulled keystone.conf ?

Changed in keystone:
assignee: Adam Young (ayoung) → Brad Topol (btopol)
Revision history for this message
Adam Young (ayoung) wrote :

Brad, yes, I think it should be out of the conf file. One value should specify if we are expecting TLS. If we are, we should always require and validate a cert. Backing off that rule can be an additional change, but I would prefer if we defaulted to the stronger crypto methd.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/25327

Changed in keystone:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/25327
Committed: http://github.com/openstack/keystone/commit/e4ec12e8118b92cbad9e2f287f111b6be8bb2705
Submitter: Jenkins
Branch: master

commit e4ec12e8118b92cbad9e2f287f111b6be8bb2705
Author: Brad Topol <email address hidden>
Date: Mon Mar 25 15:23:15 2013 -0500

    Add TLS Support for LDAP

    Fixes Bug1040115

    added several test cases, also provides a full ldap
    regression suite. Also added supplemental (simple)
    verification for CACERTFILE and CACERTDIR
    added a TLS disable option when ldaps URLs are used
    and did full regression tests using ldaps URLs
    and with TLS
    addresses ayoung's comments
    addresses dolphm's and Mouad's comments
    addresses gyee's doc request and bknudson's comments

    Change-Id: I639f2853df0ce5c10ae85b06214b26430d872aca

Changed in keystone:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in keystone:
milestone: none → havana-1
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in keystone:
milestone: havana-1 → 2013.2
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.