Bug 782617 - LDAP SSL support/implementation seems wrong
LDAP SSL support/implementation seems wrong
Status: NEW
Product: RHQ Project
Classification: Other
Component: Configuration, Core Server (Show other bugs)
Unspecified Unspecified
medium Severity medium (vote)
: ---
: ---
Assigned To: RHQ Project Maintainer
Mike Foley
Depends On:
  Show dependency treegraph
Reported: 2012-01-17 18:11 EST by Larry O'Leary
Modified: 2012-01-23 11:17 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Larry O'Leary 2012-01-17 18:11:55 EST
The LDAP SSL configuration options provided in JON server seem to be incorrect and/or missing.

Overall LDAP SSL support needs to be reevaluated and implemented in a clean/intuitive manner. There are two types of common SSL use-cases:

  1) SSL
  2) TLS

Seeing that LDAP SSL configuration prompts the user for the URL, 1) is accomplished using ldaps://. This makes the Use SSL check-box completely confusing and misleading. It appears that if I specify a protocol of ldap:// and also check the Use SSL check-box, my protocol specification is overridden with ldaps://. Although this might be desired, it is very confusing. Most commonly a "Use SSL" option is only provided when a host name is used (i.e. we aren't asking for a URL). So, we should ask for one or the other.

To support 2) we should be asking whether SSL is optional or required.

And in both cases, installation of certificates is not provided. Instead, one must install them in a JVM specified trust store or if using SSL sockets between agent and server, one must figure out where this is configured and how to get the public LDAP cert in the correct key file.
Comment 2 Mike Foley 2012-01-23 11:17:30 EST
per scrum 1/23/2012 crouch, loleary, mfoley

Note You need to log in before you can comment on or make changes to this bug.