Project

General

Profile

Actions

Todo #10704

closed

Work around PHP issues with SSL LDAP and multiple authentication servers

Added by Jim Pingle over 4 years ago. Updated over 3 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
User Manager / Privileges
Target version:
Start date:
06/25/2020
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:

Description

Based on a report from a customer, the PHP environment we have to setup for SSL LDAP clients does not appear to gracefully handle multiple authentication servers. It ends up not trusting the CA for one or more of the attempted connections. Unless the issues in #9417 have fixed on PHP 7.4 (See #10659), we should try to find a way to handle this situation better, if possible.

2.4.5-p1 workaround: Set the LDAP auth server entries to use Global Root CA List, copy CA cert PEM data to /etc/ssl/<hash>.0 where <hash> is the output of openssl x509 -hash -noout -in ca.crt

2.5.0 workaround: Set the LDAP auth server entries to use Global Root CA List, edit the CAs in the cert manager, check "Add this certificate to the Operating System Trust Store".

That should allow all of the LDAP server CAs to be trusted concurrently.

One possible workaround would be to setup more isolated environments for each server, perhaps with a unique ID per LDAP server or CA hash, but there may still be PHP environment issues when doing it that way.

Actions #1

Updated by Jim Pingle over 4 years ago

  • Description updated (diff)
Actions #2

Updated by Anonymous about 4 years ago

  • Tracker changed from Todo to Documentation
Actions #3

Updated by Jim Pingle about 4 years ago

  • Tracker changed from Documentation to Todo

There is still likely to be a technical / non-documentation way to address this.

Some of that depends on the outcome of wider testing for #9417

Actions #4

Updated by Jim Pingle almost 4 years ago

  • Status changed from New to Feedback

This is technically waiting for feedback on #9417 so I'm changing the status accordingly.

If #9417 has to be backed out again, this can be changed back to a documentation ticket and I can update the docs as needed, and it is not a release blocker at that point.

Actions #5

Updated by Renato Botelho over 3 years ago

Marking it as resolved since nobody answered in 3 months

Actions #6

Updated by Renato Botelho over 3 years ago

  • Status changed from Feedback to Resolved
Actions

Also available in: Atom PDF