yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1040115] Re: TLS support for LDAP back end

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Thierry Carrez <thierry.carrez+lp@xxxxxxxxx>
Date: Wed, 29 May 2013 08:46:35 -0000
Reply-to: Bug 1040115 <1040115@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: keystone
       Status: Fix Committed => Fix Released

** Changed in: keystone
    Milestone: None => havana-1

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1040115

Title:
  TLS support for LDAP back end

Status in OpenStack Identity (Keystone):
  Fix Released

Bug description:
  There are two different ways to secure LDAP traffic: LDAPS and TLS.
  LDAPS is currently supported.  However, Active Directory is going to
  require TLS support.

  We  need some way to specify the certificate.  In nss_ldap syntax,
  this is one of:

  tls_cacertfile /etc/ssl/ca.cert
  tls_cacertdir /etc/openldap/cacerts

  Additionally, you need a directive to state whether you intent to use
  SSL or START_TLS.  Have an 'ldaps' URI is not enough, because that
  wouldn't leave you with a way to specify that you wish to connect to
  unencrypted port 389 and issue a START_TLS command.  nss_ldap does one
  of:

  ssl on
  ssl start_tls

  You need a way to specify whether the cert is required and should be
  validated:

  tls_reqcert never | demand | allow

  Have a look at the TLS functions of python-ldap:

  http://www.python-ldap.org/doc/html/ldap.html#tls-options

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1040115/+subscriptions