Project

General

Profile

Actions

Patch #29606

closed

Support self-signed LDAPS connections

Added by Gregor Schmidt over 6 years ago. Updated about 6 years ago.

Status:
Closed
Priority:
Normal
Category:
LDAP
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:

Description

With the introduction of certficate checks to LDAPS connections in trunk #24970 (and maybe 3.4 in #29476), we should enable the user to fall back to the old behavior, where server certificates were not checked.

This is especially important, where local domain controllers and LDAP servers are used as an authentication backend. Because there servers will often use self-signed certificates.

The attached patch adds a configuration option to disable the certificate checks for LDAPS connections.

Implementation

The patch adds a new boolean column to auth_sources called verify_peer. The LDAP auth source edit screen is extended so that users may decide if they want to use "LDAP", "LDAPS without certificate check" (this one is new) or "LDAPS with certificate check".

new config option

Depending on the selected option, the tls and verify_peer attributes are set on the auth source.

Furthermore the patch extends the LDAP connection setup code, to use the newly introduced setting.

Backwards compatibility

To ensure backwards compatibility with the current Redmine trunk, the new column verify_peer defaults to true. This way, connections which use tls will continue checking the certificates.

If you want to stay compatible with the behavior in the latest Redmine release, then the default value should be false, since 3.4 currently doesn't verify certificates, as explained in #29476.

I chose to introduce a new column instead of changing the existing one, so that the db schema remains compatible with other auth sources, which may be used by plugins. Adding a new column, should not break any existing code.

Redmine.pm compatibility

Redmine.pm currently does not verify certificates.

A brief check suggests, that the library which is used in Redmine.pm simpy doesn't support checking server certificates. Therefore in order to properly secure LDAP authentication for SVN and/or to support this new configuration, Redmine.pm would need to switch to a different LDAP library. But this would be out of scope for this ticket. This patch neither improves nor worsens the security of Redmine.pm's LDAP authentication.

Related issues

  • #24970 introduces server certificate checks for LDAPS for Redmine 4.0
  • #29476 suggests to backport #24970 to Redmine 3.4
  • #27071 seems to be facing the problem, that the certficate cannot be validated
  • #3358 was suggesting (among others) a similar feature

The attached patch is targeted at r17480.


Files

Screen Shot 2018-09-13 at 14.24.18.png (19.4 KB) Screen Shot 2018-09-13 at 14.24.18.png new config option Gregor Schmidt, 2018-09-13 15:13
0001-Allow-unchecked-LDAPS-TLS-connections.patch (8.1 KB) 0001-Allow-unchecked-LDAPS-TLS-connections.patch patch against r17480 Gregor Schmidt, 2018-09-13 15:30
0001-Allow-unchecked-LDAPS-TLS-connections.patch (8.09 KB) 0001-Allow-unchecked-LDAPS-TLS-connections.patch updated version (v2) Gregor Schmidt, 2018-09-14 10:03

Related issues

Related to Redmine - Defect #24970: Net::LDAP::LdapError is deprecatedClosedJean-Philippe Lang

Actions
Related to Redmine - Defect #29476: Update net-ldap to 0.16.0Closed

Actions
Related to Redmine - Defect #27071: Error testing LDAPS Connection: "Unable to connect (hostname X.X.X.X does not match the server certificate)"Closed

Actions
Related to Redmine - Patch #3358: Advanced LDAP authenticationNew2009-05-13

Actions
Related to Redmine - Defect #8068: LDAP Authentificaton doesn't verify certificate validityClosed2011-04-05

Actions
Actions #1

Updated by Gregor Schmidt over 6 years ago

Actions #2

Updated by Holger Just over 6 years ago

  • Related to Defect #24970: Net::LDAP::LdapError is deprecated added
Actions #3

Updated by Holger Just over 6 years ago

Actions #4

Updated by Holger Just over 6 years ago

  • Related to Defect #27071: Error testing LDAPS Connection: "Unable to connect (hostname X.X.X.X does not match the server certificate)" added
Actions #5

Updated by Holger Just over 6 years ago

  • Related to Patch #3358: Advanced LDAP authentication added
Actions #6

Updated by Go MAEDA over 6 years ago

  • Category set to Accounts / authentication
  • Target version set to 4.0.0

Using self-signed certificates is not so uncommon for on-premises. Setting the target version to 4.0.0.

Actions #7

Updated by Go MAEDA over 6 years ago

  • Assignee set to Jean-Philippe Lang
Actions #8

Updated by Gregor Schmidt over 6 years ago

After some internal discussion at Planio, we've decided to further clarify the wording. Attached you may find an updated patch. It only differs in the locale files.

It should be now more clear, that LDAPS with certificate check should be considered proper LDAPS, while the option without certificate check is merely an exception for special use cases.

I've also replaced authorization with authentication in the new texts.

Actions #9

Updated by Go MAEDA over 6 years ago

  • Related to Defect #8068: LDAP Authentificaton doesn't verify certificate validity added
Actions #10

Updated by Go MAEDA about 6 years ago

  • Category changed from Accounts / authentication to LDAP
Actions #11

Updated by Jean-Philippe Lang about 6 years ago

  • Status changed from New to Closed

Committed, thanks.

Actions

Also available in: Atom PDF