[rhos-list] Keystone + LDAP + TLS

Jonathan Mills jonmills at renci.org
Wed Aug 22 02:13:15 UTC 2012 

So, you need some way to specify the certificate.  In nss_ldap syntax, this is one of:

tls_cacertfile /etc/ssl/ca.cert
tls_cacertdir /etc/openldap/cacerts

Additionally, you need a directive to state whether you intent to use SSL or START_TLS.  Have an 'ldaps' URI is not enough, because that wouldn't leave you with a way to specify that you wish to connect to unencrypted port 389 and issue a START_TLS command.  nss_ldap does one of:

ssl on
ssl start_tls

You need a way to specify whether the cert is required and should be validated:

tls_reqcert never | demand | allow


Have a look at the TLS functions of python-ldap:

http://www.python-ldap.org/doc/html/ldap.html#tls-options

On Aug 21, 2012, at 9:55 PM, Adam Young <ayoung at redhat.com> wrote:

> On 08/21/2012 06:07 PM, Jonathan Mills wrote:
>> Like any reasonable IT organization, I run a secure LDAP server.  It will accept anonymous binds, but requires TLS and a valid certificate (tls_reqcert = demand).
>> 
>> Now it seems that Essex really only wants to use Keystone for identity management.
>> 
>> And Keystone supports LDAP as a backend.
>> 
>> And Keystone uses the python-ldap library, which supports LDAPS or LDAP w/ START_TLS.
>> 
>> So quite naturally I want Keystone to authenticate my users, who live in LDAP, to nova for me.
>> 
>> However....it does not seem that keystone.conf actually supports the configuration declarations to build a secure LDAP connection?
>> 
>> This strikes me as a pretty big deal...
>> 
> 
> LDAP support is new, and is getting more attention now.  The predominant way people seem to be using it is as a read only data store. The other way is using a local LDAP server that is either passing through to the remote one or caching a subset of the data.
> 
> Simple Bind was the most straightforward and simplest authentication that could be done. Ideally, we would do something more secure, like Kerberos.
> 
> We need to start a blueprint for LDAP features.  LDAPS/StartTLS is one that has been on my mind for a while now.  The obvious first step would be for the URL to be ldaps:/// instead of ldap:// but that is a configuration option already supported.   We do conn.simple_bind_s.  What else would be required to support it?
> 
> _______________________________________________
> rhos-list mailing list
> rhos-list at redhat.com
> https://www.redhat.com/mailman/listinfo/rhos-list

More information about the rhos-list mailing list