Bug 578231

Summary: Add checkbox 'Allow authentication via self-signed certificates'
Product: [Fedora] Fedora Reporter: Stephen Gallagher <sgallagh>
Component: authconfigAssignee: Tomas Mraz <tmraz>
Status: CLOSED EOL QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: rawhideCC: amcnabb, dpal, duffy, tmraz
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-10-24 01:00:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Stephen Gallagher 2010-03-30 15:51:44 UTC
Description of problem:
One of the most common setup cases for LDAP is to use a self-signed certificate for the company's LDAP server. When an encrypted connection is needed (either in the form of LDAPS or LDAP+TLS), by default the SSSD will demand a certificate that it can validate.

Not all users will be aware, however, that they need to download a CA certificate for the self-signed server. We should add a checkbox 'Allow authentication via self-signed certificates' that translates to the sssd.conf value:
ldap_tls_reqcert = allow

(The default if this option is unspecified is "demand")
This means that the certificate will be used even if it is not verified against a CA cert.

Version-Release number of selected component (if applicable):

How reproducible:
Every time

Comment 1 Tomas Mraz 2010-03-30 16:41:13 UTC
I do not quite agree with this as this setting is not secure - if you do not explicitely establish the trust to the CA certificate (or to the self-signed certificate) any MITM can impersonate the LDAP server and be able to fool the machine to allow anybody to log-in.

I'd prefer to implement some way to pull the certificate from the ldap connection and store it so it can be trusted. This is similar to what openssh does although here it would be part of the authconfig code. But this is F14 work to do.

Comment 2 Máirín Duffy 2010-03-31 18:04:26 UTC

Mockups to account for this change are available in the latest draft (draft 5) of the authconfig-gtk mockups. The screens of interest are as follows:



Comment 3 Stephen Gallagher 2010-03-31 18:12:40 UTC
I think I follow what you're suggesting, Tomas. We should add perhaps ldap_tls_reqcert = once. This would make the assumption that the connection is safe the first time. On the first connection made by the SSSD, we should store the CA cert into the proper directory, run the cacertdir_hash routine and then always rely on that for future connections.

Is this an accurate rephrasing of your suggestion above?

Comment 4 Tomas Mraz 2010-03-31 18:18:53 UTC
I thought of implementing the first connection in authconfig itself but if you would do that in SSSD it would make sense as well. Whatever you prefer. If the implementation is done on the SSSD side there is still remaining issue how to implement change of the certificate in case of legitimate change of the certificate on server (expiration etc.). We would need to somehow trigger a connection which would remove the old certificate and install a new one.

Comment 5 Stephen Gallagher 2010-03-31 18:36:32 UTC
Hmm, this is going to need a bit more thought. Ideally, we should present the user the option to accept the certificate. So that would probably be better done in authconfig rather than SSSD.

We're still speaking in general terms, however. I'm not even sure at this point whether we can get this directly from the LDAP connection.

Comment 6 Tomas Mraz 2010-03-31 18:53:26 UTC
It should be definitely possible to get it from the LDAP connection at least in the self-signed host certificate case. It will require quite bit of code though. And yes I also think that it would be probably better to do this in authconfig rather than SSSD.

Comment 7 Dmitri Pal 2010-03-31 19:50:52 UTC
Should we consider certmonger for tracking cert expiration? This is exactly what it is designed for.

Comment 8 Andrew McNabb 2010-04-08 16:22:19 UTC
Will the "ldap_tls_reqcert = once" or "ldap_tls_reqcert = allow" options also be added to the "auth" kickstart option?  It would be great to be able to do "auth --enableldapauth --ldap_tls_reqcert=once" within a kickstart script.