Type: Feature Request
Status: Rejected (View Workflow)
Affects Version/s: None
Fix Version/s: None
SFDC Cases Links:
SFDC Cases Counter:
Product Experience Impact Score:4.25
Product Experience Scheduling Request:No PX recommendation - schedule improvements, discuss merits, or close
Product Experience status:Medium support complexity
1. Proposed title of this feature request
LDAP IDP: TLS without verification
2. What is the nature and description of the request?
Provide an option or collection of configuration options to allow the LDAP IDP to connect to a LDAP server with TLS, but without verifying that the SSL/TLS certificate is valid. Other SSL/TLS implementations typically call this something like "TLS no verify" or the like.
3. Why does the customer need this? (List the business requirements here)
It's useful for at least three different use cases:
3.1. Customer will shortly have a compliance requirement to implement LDAP+TLS with certificates that fail verification. Fixing the certificates is not an option. If this is not available, our project may fail
security compliance requirements, and we may not be able to use OpenShift. Other products we use do typically have an option for TLS without verification.
3.2. For customers who are forced to use LDAP+TLS with certificates that fail verification, being able to use TLS without verification is better than plaintext LDAP because it addresses the real security
threat of a passive listener. It is not as good as TLS with verification, because it does not address the threat of "man in the middle". But a partial solution is better than none.
3.3. Even if/when customers are able to use valid certificates, when debugging issues, it is convenient to be able to turn off TLS verification as a debugging step. If the problems go away with TLS verification
disabled, then we know it's a certificate issue. If the problem persists even with TLS verification disabled, we know to look at some other issue.
Customer uggests adding an option to the OAuth kind at spec.identityProviders.ldap, such as "tlsVerify". Default to true, but have an option for false. Combine with the existing "insecure" option like so:
insecure==false && tlsVerify==true => TLS/SSL enabled with verification
insecure==false && tlsVerify==false => TLS/SSL enabled without verification
insecure==true && tlsVerify==true => TLS/SSL disabled
insecure==true && tlsVerify==false => TLS/SSL disabled
When "TLS without verification" is in effect, some specific items not to verify are hostname/subject matching, certificate expiration, CA expiration, and intermediate certification expiration.
4. List any affected packages or components.