https://www.redmine.org/https://www.redmine.org/favicon.ico?16793021292011-04-05T07:49:12ZRedmineRedmine - Defect #8068: LDAP Authentificaton doesn't verify certificate validityhttps://www.redmine.org/issues/8068?journal_id=275652011-04-05T07:49:12ZEtienne Massip
<ul><li><strong>Category</strong> set to <i>LDAP</i></li></ul> Redmine - Defect #8068: LDAP Authentificaton doesn't verify certificate validityhttps://www.redmine.org/issues/8068?journal_id=276082011-04-05T18:49:04ZRuben Kruiswijk
<ul></ul><p>A possible 'fix' should be made optional. Not every company uses certificates issued by official certificate authorities. Their are enough self-signed certificates that still have to work.</p> Redmine - Defect #8068: LDAP Authentificaton doesn't verify certificate validityhttps://www.redmine.org/issues/8068?journal_id=296162011-06-06T19:21:00ZTony Edmonds
<ul></ul><p>Whether the certificate is self-signed, signed by an in-house CA, or signed by an "official" CA, doesn't matter. Redmine should attempt to check the validity of the cert against information on the local machine. Nothing about a self-signed cert precludes this.</p> Redmine - Defect #8068: LDAP Authentificaton doesn't verify certificate validityhttps://www.redmine.org/issues/8068?journal_id=296172011-06-06T19:49:06ZTony Edmonds
<ul></ul><p>I can't work out how to fix this myself, but one possible workaround is to use socat to proxy the LDAP port (389) on localhost to the real LDAPS service, validating the certificate along the way.</p>
<p>socat TCP4-LISTEN:389,bind=localhost,reuseaddr,fork,su=nobody OPENSSL:ldapserver.example.com:636,cafile=/etc/ssl/certs/ldapcert.pem &</p>
<p>Then point Redmine to localhost for LDAP (non TLS).</p> Redmine - Defect #8068: LDAP Authentificaton doesn't verify certificate validityhttps://www.redmine.org/issues/8068?journal_id=804642017-08-03T14:17:53Zciaran jessup
<ul></ul><p>The 'fix' (which should really be on by default or you could be sending your passwords <strong>anywhere</strong> :/) can be made by changing</p>
<p><a class="source" href="https://www.redmine.org/projects/redmine/repository/svn/revisions/16773/entry/trunk/app/models/auth_source_ldap.rb#L147">source:trunk/app/models/auth_source_ldap.rb@16773#L147</a></p>
<p>to something along the lines of<br /><pre><code class="ruby syntaxhl"> <span class="ss">:encryption</span> <span class="o">=></span> <span class="p">{</span>
<span class="ss">method: :simple_tls</span><span class="p">,</span>
<span class="ss">tls_options: </span><span class="no">OpenSSL</span><span class="o">::</span><span class="no">SSL</span><span class="o">::</span><span class="no">SSLContext</span><span class="o">::</span><span class="no">DEFAULT_PARAMS</span>
<span class="p">}</span>
</code></pre></p>
<p>(note I've removed the optional check of self.tls, this is purely for reference purposes!!!)</p>
<p>If the change above is made then the certificate will be verified correctly, if the certificate is self signed or not available in the operating system's certificate stores for some other reason then the instructions <a href="https://github.com/ruby-ldap/ruby-net-ldap/blob/master/lib/net/ldap.rb#L517" class="external">here</a> explain how to install the relevant certificate.</p> Redmine - Defect #8068: LDAP Authentificaton doesn't verify certificate validityhttps://www.redmine.org/issues/8068?journal_id=873312018-09-16T00:35:55ZGo MAEDA
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Closed</i></li><li><strong>Resolution</strong> set to <i>Fixed</i></li></ul><p>Resolved by <a class="changeset" title="LdapError is deprecated (#24970)." href="https://www.redmine.org/projects/redmine/repository/svn/revisions/16773">r16773</a>. The latest version of net-ldap verifies certificates by default.</p> Redmine - Defect #8068: LDAP Authentificaton doesn't verify certificate validityhttps://www.redmine.org/issues/8068?journal_id=873322018-09-16T00:36:22ZGo MAEDA
<ul><li><strong>Related to</strong> <i><a class="issue tracker-1 status-5 priority-4 priority-default closed" href="/issues/24970">Defect #24970</a>: Net::LDAP::LdapError is deprecated</i> added</li></ul> Redmine - Defect #8068: LDAP Authentificaton doesn't verify certificate validityhttps://www.redmine.org/issues/8068?journal_id=873342018-09-16T00:36:33ZGo MAEDA
<ul><li><strong>Related to</strong> <i><a class="issue tracker-3 status-5 priority-4 priority-default closed" href="/issues/29606">Patch #29606</a>: Support self-signed LDAPS connections</i> added</li></ul>