-
Notifications
You must be signed in to change notification settings - Fork 113
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use safer defaults for TLS verification on LDAP connections #2053
Conversation
Thanks for opening this pull request! The maintainers of this repository would appreciate it if you would create a changelog item based on your changes. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, great improvement!
We should probably run a grep -i insecure
around the codebase :)
This pull request fixes 9 alerts when merging 6c787c5 into f2109fc - view on LGTM.com fixed alerts:
|
6c787c5
to
2759a8b
Compare
AFAICS those were the only remaining places where i was hardcoded. |
This pull request fixes 9 alerts when merging 2759a8b into f2109fc - view on LGTM.com fixed alerts:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Awesome improvement!
Converted to draft for now. As I think this needs some adjustments in ocis. |
2759a8b
to
2b7410f
Compare
This pull request fixes 9 alerts when merging 2b7410f into 36d6211 - view on LGTM.com fixed alerts:
|
@rhafer please remove the draft state if you think is completed. |
The LDAP client connections were hardcoded to ignore certificate validation errors everywhere. This commit changes that to uses a secure default, which can be overridden by the new config parameter 'insecure'. Also the LDAP related test configs are updated to set that override for the tests.
This should reduce code duplication a bit. Currently this only handles the initial setup of the LDAP connection (e.g. the TLS parameters). Could be enhanced to also handle the initial authentication in the future.
This add a new configparameter "cacert" to allow to add trusted CAs and Server Certificates for the LDAP connections. This allows us to avoid using "insecure" when running against self-signed certificates. (As e.g. issued for glauth by default)
2b7410f
to
ee401dd
Compare
This pull request fixes 9 alerts when merging ee401dd into d04e363 - view on LGTM.com fixed alerts:
|
The LDAP client connections where hardcoded to ignore certificate validation
errors everywhere. This commit changes that to uses a secure default,
which can be overridden by the new config parameter 'insecure'.
Also the LDAP related test configs are updated to set that override for
the tests.