Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

When using LDAPS, identify the SSL Path and SSL provider automatically #62

Closed
AndreeaChi opened this issue Nov 17, 2022 · 5 comments
Closed

When using LDAPS, identify the SSL Path and SSL provider automatically #62

AndreeaChi opened this issue Nov 17, 2022 · 5 comments
Assignees
@oanalavinia
Labels
Type: Improvement
Milestone
1.16.2

Comments

@AndreeaChi
Copy link

Is it possible when trying to use LDAPS with the Active Directory extension to identify the Path to SSL Keystore and the SSL Source Provider?

The benefit would be to avoid situations when the path or the source is completed incorrectly.
@tmortagne
Copy link
Member

tmortagne commented Nov 29, 2022
edited

Note that from what I see in recent documentation, it's very possible setting the provider is totally useless now and that the default one would do just fine (meaning the fix would be to move the default from "com.sun.net.ssl.internal.ssl.Provider" to not setting it at all). That would make it something to do on generic LDAP authenticator side instead of the AD authenticator (but I guess there is some UI to remove to make things simpler in the AD application). To be tested.

@oanat
Copy link

oanat commented Nov 29, 2022

Reported https://jira.xwiki.org/browse/LDAP-120.

@snazare snazare self-assigned this Feb 4, 2023
@snazare
Copy link

snazare commented Apr 5, 2023

will test "Add the possibility to not set the

xwiki.authentication.ldap.ssl.secure_provider
(the default value is "com.sun.net.ssl.internal.ssl.Provider") as in recent documentation, it's very possible setting the provider is totally useless now and that the default one would do just fine."

@snazare snazare assigned oanalavinia and unassigned snazare Apr 5, 2023
@oanalavinia
Copy link
Contributor

https://jira.xwiki.org/browse/LDAP-120 has been included with the upgrade to LDAP 9.11.0 in 38c3894, so there is no need to fill in the provider anymore

For the path to SSL trust store, the idea of the issue was to avoid situations when this is filled in incorrectly, but I think that trying to provide a value could be more confusing, or even redundant.
According to https://docs.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#X509TrustManager , JSSE already tries to find the certificate in one of the default locations (jssecacerts, then cacerts) in case another location was not specified, so there is no need to define other defaults.
What I propose is to update the documention on store about this and point also to https://extensions.xwiki.org/xwiki/bin/view/Extension/LDAP/Authenticator/UseCases#HUseLDAPoverSSL28ldapsauthentication29 , since additional configurations might be needed indeed.

oanalavinia added a commit that referenced this issue May 16, 2023
@oanalavinia
When using LDAPS, identify the SSL Path and SSL provider automatically
9a0b7ef 
…#62

* update properties hints
@oanalavinia oanalavinia added this to the 1.16.2 milestone May 16, 2023
@oanalavinia
Copy link
Contributor

Documentation updated at https://store.xwiki.com/xwiki/bin/view/Extension/ActiveDirectoryApplication#documentation

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@oanalavinia oanalavinia

Labels
Type: Improvement
Projects
None yet
Milestone
1.16.2
Development

No branches or pull requests
5 participants
@tmortagne @oanat @oanalavinia @snazare @AndreeaChi