Issue #5654: ipa-advise config-redhat-nss-ldap does not enable TLS for LDAP - freeipa

freeipa

#5654 ipa-advise config-redhat-nss-ldap does not enable TLS for LDAP

Closed: Fixed None Opened 8 years ago by pspacek.

After executing commands produced by ipa-advise config-redhat-nss-ldap following lines are present in /etc/ldap.conf:

uri ldap://vm-058-103.abc.idm.lab.eng.brq.redhat.com
ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password md5

This is way too insecure, because BIND request are sending passwords in plaintext!

ssl start_tls

works even with nss_ldap-253-52.el5_11.2 on latest RHEL 5.

Apparently authconfig call is missing --enableldaptls parameter.

This might be the case even for other ipa-advise modules, we should review them.

pspacek commented 8 years ago

It seems that the same problem is in config-redhat-nss-ldapd config for advisor.

tbabej commented 8 years ago

master:

02d3ea1 advise: configure TLS in redhat_nss_pam_ldapd and redhat_nss_ldap plugins

ipa-4-3:

b2c5c32 advise: configure TLS in redhat_nss_pam_ldapd and redhat_nss_ldap plugins

ipa-4-2:

6111a30 advise: configure TLS in redhat_nss_pam_ldapd and redhat_nss_ldap plugins

Metadata Update from @pspacek:
- Issue assigned to pvoborni
- Issue set to the milestone: FreeIPA 4.2.4

7 years ago

Metadata

Assignee

pvoborni

Tags

None

Blocking

None

Depending on

None

Priority

important

Milestone

FreeIPA 4.2.4

None

affects_doc

None

source

None

knownissue

None

type

defect

blockedby

None

test_case

None

component

Client

blocking

None

on_review

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

tester

None

changelog

None

design

None

freeipa

Source Code

#5654 ipa-advise config-redhat-nss-ldap does not enable TLS for LDAP Closed: Fixed None Opened 8 years ago by pspacek.

Metadata

#5654 ipa-advise config-redhat-nss-ldap does not enable TLS for LDAP

Closed: Fixed None Opened 8 years ago by pspacek.