Bug 782617

Summary: LDAP SSL support/implementation seems wrong
Product: [Other] RHQ Project Reporter: Larry O'Leary <loleary>
Component: Configuration, Core ServerAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 4.3CC: hrupp
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Larry O'Leary 2012-01-17 23:11:55 UTC 
The LDAP SSL configuration options provided in JON server seem to be incorrect and/or missing.

Overall LDAP SSL support needs to be reevaluated and implemented in a clean/intuitive manner. There are two types of common SSL use-cases:

  1) SSL
  2) TLS

Seeing that LDAP SSL configuration prompts the user for the URL, 1) is accomplished using ldaps://. This makes the Use SSL check-box completely confusing and misleading. It appears that if I specify a protocol of ldap:// and also check the Use SSL check-box, my protocol specification is overridden with ldaps://. Although this might be desired, it is very confusing. Most commonly a "Use SSL" option is only provided when a host name is used (i.e. we aren't asking for a URL). So, we should ask for one or the other.

To support 2) we should be asking whether SSL is optional or required.

And in both cases, installation of certificates is not provided. Instead, one must install them in a JVM specified trust store or if using SSL sockets between agent and server, one must figure out where this is configured and how to get the public LDAP cert in the correct key file.
Comment 2 Mike Foley 2012-01-23 16:17:30 UTC 
per scrum 1/23/2012 crouch, loleary, mfoley