Project

General

Profile

Bug #10239

LDAP TLS certificate checking against other PKI

Added by Jelmer Hartman over 5 years ago. Updated about 4 years ago.

Status:
Resolved
Priority:
No priority
Assignee:
Dru Lavigne
Category:
Documentation
Target version:
Seen in:
Severity:
New
Reason for Closing:
Reason for Blocked:
Needs QA:
Yes
Needs Doc:
Yes
Needs Merging:
Yes
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:
ChangeLog Required:
No

Description

When an LDAP server has TLS configured using a certificate that has been signed by an external commercial or private CA. It is now not possible to use TLS in Freenas.

I propose that you can also import CA certificates without a private key, and select those to verify the LDAP server certificate.

History

#1 Updated by John Hixson over 5 years ago

  • Status changed from Unscreened to 15
  • Target version set to Unspecified

Jelmer Hartman wrote:

When an LDAP server has TLS configured using a certificate that has been signed by an external commercial or private CA. It is now not possible to use TLS in Freenas.

I propose that you can also import CA certificates without a private key, and select those to verify the LDAP server certificate.

You most certainly can import certificates signed externally and without a private key. Can you provide more detail and a reproduction case please?

#2 Updated by Jelmer Hartman over 5 years ago

Oops, I seem to be completely wrong, maybe the GUI/Docs could be a bit more clear, or maybe I'm just stupid.

I have tried importing a normal certificate, in that case the private key is mandatory.

When trying to import a CA certificate a private key import field is there, but it turns out that in this case it it not mandatory. The serial number IS mandatory. I don't see how that is relevant when importing an external CA certificate but any number will work, so there's no problem there.

#3 Updated by John Hixson over 5 years ago

  • Status changed from 15 to Closed: Behaves correctly

#4 Updated by Jelmer Hartman over 5 years ago

I went trough the Documentation one more time and I think it is in fact not completely accurate. You don't need to point at the certificate of the LDAP server, but at the CA that signed it.

It now states: "select the certificate of the LDAP server if SSL or TLS connections are used (required if authentication is used); if you do not have a certificate, first create a CA (in CAs) then the certificate (in Certificates)"

I suggest something like:
"select the CA that signed the certificate of the LDAP server (required if authentication is used); If your LDAP server doesn't already have a certificate, first create a CA then the certificate (in Certificates) and install the certificate on the LDAP server.

#5 Updated by Dru Lavigne over 5 years ago

  • Category changed from 118 to Documentation
  • Status changed from Closed: Behaves correctly to Screened
  • Assignee changed from John Hixson to Dru Lavigne

#6 Updated by Dru Lavigne about 5 years ago

  • Status changed from Screened to Unscreened
  • Assignee changed from Dru Lavigne to John Hixson

Can you confirm that it is correct to just select the CA? The drop-down menu allows this, I just want to make sure that it is sufficient for the configuration to work.

#7 Updated by John Hixson about 5 years ago

  • Status changed from Unscreened to Screened
  • Assignee changed from John Hixson to Dru Lavigne

Dru Lavigne wrote:

Can you confirm that it is correct to just select the CA? The drop-down menu allows this, I just want to make sure that it is sufficient for the configuration to work.

Yup, that is correct ;-)

#8 Updated by Dru Lavigne about 5 years ago

  • Status changed from Screened to Resolved

See commit 21798c6282db2da21dab64100e112056c61b370e.

#9 Avatar?id=14398&size=24x24 Updated by Kris Moore about 4 years ago

  • Target version changed from Unspecified to N/A

Also available in: Atom PDF