Project

General

Profile

Bug #8044

LDAP authentication fails with a globally trusted root CA

Added by Jim Pingle about 2 years ago. Updated about 2 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
User Manager / Privileges
Target version:
Start date:
11/02/2017
Due date:
% Done:

100%

Estimated time:
Affected Version:
All
Affected Architecture:
All

Description

The OpenLDAP client does not automatically look for and trust the global root CA list we have from ca_root_nss, linked at /etc/ssl/cert.pem

Furthermore it does not seem to want to read that list when passed its location as a CA directory. The certificates for LDAP are kept in /var/run which is limited in space, so making a copy of the global CA list there is not viable due to its limited space, and it can't be symlinked there because /var/run is a RAM disk and the original file is on another filesystem.

What appears to work is offering a "Global Root CA List" option as a CA choice for LDAP servers, and then setting LDAPTLS_CACERT=/etc/ssl/cert.pem. This also makes more sense because a server configured this way should not need to have its CA imported manually or selected specifically, since it should be trusted already.

This lets LDAP auth against a server using a trusted certificate from common providers such as Let's Encrypt.

To me, I have a patch.

Associated revisions

Revision 87c67243 (diff)
Added by Jim Pingle about 2 years ago

Add an option for LDAP servers to use the global root CA list as a peer CA. Fixes #8044

History

#1 Updated by Jim Pingle about 2 years ago

  • Status changed from Confirmed to Feedback
  • % Done changed from 0 to 100

#2 Updated by Jim Pingle about 2 years ago

  • Status changed from Feedback to Resolved

Also available in: Atom PDF