[rhos-list] Keystone + LDAP + TLS
Jonathan Mills
jonmills at renci.org
Wed Aug 22 02:13:15 UTC 2012
So, you need some way to specify the certificate. In nss_ldap syntax, this is one of:
tls_cacertfile /etc/ssl/ca.cert
tls_cacertdir /etc/openldap/cacerts
Additionally, you need a directive to state whether you intent to use SSL or START_TLS. Have an 'ldaps' URI is not enough, because that wouldn't leave you with a way to specify that you wish to connect to unencrypted port 389 and issue a START_TLS command. nss_ldap does one of:
ssl on
ssl start_tls
You need a way to specify whether the cert is required and should be validated:
tls_reqcert never | demand | allow
Have a look at the TLS functions of python-ldap:
http://www.python-ldap.org/doc/html/ldap.html#tls-options
On Aug 21, 2012, at 9:55 PM, Adam Young <ayoung at redhat.com> wrote:
> On 08/21/2012 06:07 PM, Jonathan Mills wrote:
>> Like any reasonable IT organization, I run a secure LDAP server. It will accept anonymous binds, but requires TLS and a valid certificate (tls_reqcert = demand).
>>
>> Now it seems that Essex really only wants to use Keystone for identity management.
>>
>> And Keystone supports LDAP as a backend.
>>
>> And Keystone uses the python-ldap library, which supports LDAPS or LDAP w/ START_TLS.
>>
>> So quite naturally I want Keystone to authenticate my users, who live in LDAP, to nova for me.
>>
>> However....it does not seem that keystone.conf actually supports the configuration declarations to build a secure LDAP connection?
>>
>> This strikes me as a pretty big deal...
>>
>
> LDAP support is new, and is getting more attention now. The predominant way people seem to be using it is as a read only data store. The other way is using a local LDAP server that is either passing through to the remote one or caching a subset of the data.
>
> Simple Bind was the most straightforward and simplest authentication that could be done. Ideally, we would do something more secure, like Kerberos.
>
> We need to start a blueprint for LDAP features. LDAPS/StartTLS is one that has been on my mind for a while now. The obvious first step would be for the URL to be ldaps:/// instead of ldap:// but that is a configuration option already supported. We do conn.simple_bind_s. What else would be required to support it?
>
> _______________________________________________
> rhos-list mailing list
> rhos-list at redhat.com
> https://www.redhat.com/mailman/listinfo/rhos-list
More information about the rhos-list
mailing list