TLS support for LDAP back end
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
High
|
Brad Topol |
Bug Description
There are two different ways to secure LDAP traffic: LDAPS and TLS. LDAPS is currently supported. However, Active Directory is going to require TLS support.
We need some way to specify the certificate. In nss_ldap syntax, this is one of:
tls_cacertfile /etc/ssl/ca.cert
tls_cacertdir /etc/openldap/
Additionally, you need a directive to state whether you intent to use SSL or START_TLS. Have an 'ldaps' URI is not enough, because that wouldn't leave you with a way to specify that you wish to connect to unencrypted port 389 and issue a START_TLS command. nss_ldap does one of:
ssl on
ssl start_tls
You need a way to specify whether the cert is required and should be validated:
tls_reqcert never | demand | allow
Have a look at the TLS functions of python-ldap:
Changed in keystone: | |
assignee: | nobody → Adam Young (ayoung) |
Changed in keystone: | |
status: | New → Triaged |
importance: | Undecided → High |
description: | updated |
summary: |
- LDAPS and TLS support + TLS support for LDAP back end |
Changed in keystone: | |
milestone: | none → havana-1 |
status: | Fix Committed → Fix Released |
Changed in keystone: | |
milestone: | havana-1 → 2013.2 |
LDAPS seems to work out of the box, provided the CA cert is set up properly.
I got it to work by doing this:
http:// adam.younglogic .com/2012/ 09/ldaps- against- a-freeipa- server/
And changing the URL in the keystone.conf file to ldaps://