Loading...

XML

Word

Printable

Details

Type: Feature Request
Resolution: Done
Priority: Critical
Fix Version/s: None
Affects Version/s: None
Component/s: Auth, Network Edge
Labels:
- NAPS
- Oauth
- TLS
- ldap
- openshift

Blocked:
False
Ready:
False
Hierarchy Progress:
0
Hierarchy Progress Bar:

0% 0%
Release Note Text:
Undefined

SFDC Cases Counter:
SFDC Cases Links:

Description

1. Proposed title of this feature request

LDAP IDP: TLS without verification

2. What is the nature and description of the request?

Provide an option or collection of configuration options to allow the LDAP IDP to connect to a LDAP server with TLS, but without verifying that the SSL/TLS certificate is valid. Other SSL/TLS implementations typically call this something like "TLS no verify" or the like.

3. Why does the customer need this? (List the business requirements here)

It's useful for at least three different use cases:
3.1. Customer will shortly have a compliance requirement to implement LDAP+TLS with certificates that fail verification. Fixing the certificates is not an option. If this is not available, our project may fail
security compliance requirements, and we may not be able to use OpenShift. Other products we use do typically have an option for TLS without verification.
3.2. For customers who are forced to use LDAP+TLS with certificates that fail verification, being able to use TLS without verification is better than plaintext LDAP because it addresses the real security
threat of a passive listener. It is not as good as TLS with verification, because it does not address the threat of "man in the middle". But a partial solution is better than none.
3.3. Even if/when customers are able to use valid certificates, when debugging issues, it is convenient to be able to turn off TLS verification as a debugging step. If the problems go away with TLS verification
disabled, then we know it's a certificate issue. If the problem persists even with TLS verification disabled, we know to look at some other issue.

Customer uggests adding an option to the OAuth kind at spec.identityProviders[].ldap, such as "tlsVerify". Default to true, but have an option for false. Combine with the existing "insecure" option like so:

insecure==false && tlsVerify==true => TLS/SSL enabled with verification
insecure==false && tlsVerify==false => TLS/SSL enabled without verification
insecure==true && tlsVerify==true => TLS/SSL disabled
insecure==true && tlsVerify==false => TLS/SSL disabled

When "TLS without verification" is in effect, some specific items not to verify are hostname/subject matching, certificate expiration, CA expiration, and intermediate certification expiration.

4. List any affected packages or components.

Openshift Oauth

Attachments

Activity

People

Assignee:: Anandnatraj Chandramohan (Inactive)

Reporter:: Krishna V S Vattekate (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2020/11/19 1:49 PM

Updated:: 2024/03/25 6:51 PM

Resolved:: 2020/11/20 2:29 PM