Bug 1785621 - [LDAP] - Not able to make test connection with LDAP IDM Server if used https connection
Summary: [LDAP] - Not able to make test connection with LDAP IDM Server if used https ...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: LDAP
Version: 6.7.0
Hardware: All
OS: All
unspecified
high
Target Milestone: 6.7.0
Assignee: satellite6-bugs
QA Contact: Sanket Jagtap
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-12-20 13:20 UTC by Omkar Khatavkar
Modified: 2021-07-21 15:21 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-01-26 14:43:37 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1527048 0 medium CLOSED CVE-2017-17718 rubygem-net-ldap: Missing SSL Certificate Validation 2021-02-22 00:41:40 UTC

Internal Links: 1829551

Description Omkar Khatavkar 2019-12-20 13:20:07 UTC
Description of problem:
[LDAP] - Not able to make test connection with LDAP IDM Server if used https connection  

Version-Release number of selected component (if applicable):
Satellite 6.7 (failing)
Satellite 6.6 (passing)

How reproducible:
Always

Steps to Reproduce:

1. Download the LDAP server (IDM )certificate to a temporary location.

You can get it from e.g. https://freeipa.example.com/ipa/config/ca.crt

2. Trust the Certificate.

Copy the certificate at /etc/pki/ca-trust/source/anchors/ on  foreman server.

# cp ipa_ca.crt /etc/pki/ca-trust/source/anchors/

# update-ca-trust extract

# restorecon -R /etc/pki/ca-trust/source/anchors/

# systemctl restart httpd

3. Try now test connection for LDAP (IDM) server with https 

Actual results:
Currently, Test Connection is failing with an Error ('[Foreman:: WrappedException]: Unable to connect to LDAP server ')  

Expected results:
Test Connection should not fail. 


Additional info:
The same Test is passing for Satellite 6.6

Comment 8 Tomer Brisker 2020-01-26 14:43:37 UTC
This is due to an upgrade in the net-ldap rubygem in 6.7. 
Satellite 6.6 shipped with 0.15, which did not validate TLS certificates. 
Satellite 6.7 includes version 0.16, which validates TLS certificates. 
This fixes CVE-2017-17718.

Closing as NOTABUG since the name on the certificate must match the hostname provided.


Note You need to log in before you can comment on or make changes to this bug.