Fuel Plugins

[fuel-plugin-ldap] tls settings are required for ldap plugin

Bug #1544355 reported by Oleksii Aleksieiev
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Fuel Plugins
Fix Committed
Wishlist
Max Yatsenko
Fuel Plugins 9.0

Bug Description

Corporate ldap/AD servers are usually accessible via tls/ssl only.
Also its possible that internal CA certificate maybe used for ldap tls/ssl .

Plugin should allow users to upload custom CA file.

Plugin should upload the file to keystone node and update keystone config:

[ldap]
tls_cacertfile = /etc/keystone/path.to.CA.pem

Tags: ldap
Revision history for this message
Simon Pasquier (simon-pasquier) wrote :

Note that there is no way to upload a file in the Fuel UI for plugins. That being said, it should be possible to copy/paste the CA key in a text field.

Changed in fuel-plugins:
importance: Undecided → Wishlist
Irina Povolotskaya (ipovolotskaya)
Changed in fuel-plugins:
assignee: nobody → Max Yatsenko (myatsenko)
milestone: none → 7.0
tags: added: ldap
Revision history for this message
Max Yatsenko (myatsenko) wrote :

TLS support was added to MOS7.0
patch https://review.openstack.org/#/c/281711/

Changed in fuel-plugins:
status: New → Fix Committed
Revision history for this message
Oleksii Aleksieiev (alexzzman) wrote :

Thanks for creating a the fix.

The CA chain field is dependent on settings:ldap.use_tls.value == true. This is not correct.
in ldap setting you may have ldaps://ldap server URL but tls disabled. This means ssl protocol will be used instead of tls and CA chain still may be needed.

The variable name tls_cacertfile may be confusing at this point but it still valid use case. This two options should be independent on each other.

Max Yatsenko (myatsenko)
Changed in fuel-plugins:
milestone: 7.0 → 9.0
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.