Use safer defaults for TLS verification on LDAP connections #2053
Commits on Sep 14, 2021
-
Use safer defaults for TLS verification on LDAP connections
The LDAP client connections were hardcoded to ignore certificate validation errors everywhere. This commit changes that to uses a secure default, which can be overridden by the new config parameter 'insecure'. Also the LDAP related test configs are updated to set that override for the tests.
-
Add utility module for LDAP connections
This should reduce code duplication a bit. Currently this only handles the initial setup of the LDAP connection (e.g. the TLS parameters). Could be enhanced to also handle the initial authentication in the future.
-
Allow to add trusted certificates for LDAP
This add a new configparameter "cacert" to allow to add trusted CAs and Server Certificates for the LDAP connections. This allows us to avoid using "insecure" when running against self-signed certificates. (As e.g. issued for glauth by default)
-
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.