Uploaded image for project: 'OpenShift Request For Enhancement'
  1. OpenShift Request For Enhancement
  2. RFE-1412

LDAP IDP: TLS without verification



    • SFDC Cases Links:
    • SFDC Cases Counter:
    • Product Experience Impact Score:
    • Product Experience Scheduling Request:
      No PX recommendation - schedule improvements, discuss merits, or close
    • Product Experience status:
      Medium support complexity


      1. Proposed title of this feature request

      LDAP IDP: TLS without verification

      2. What is the nature and description of the request?

      Provide an option or collection of configuration options to allow the LDAP IDP to connect to a LDAP server with TLS, but without verifying that the SSL/TLS certificate is valid. Other SSL/TLS implementations typically call this something like "TLS no verify" or the like.

      3. Why does the customer need this? (List the business requirements here)

      It's useful for at least three different use cases:
      3.1. Customer will shortly have a compliance requirement to implement LDAP+TLS with certificates that fail verification. Fixing the certificates is not an option. If this is not available, our project may fail
      security compliance requirements, and we may not be able to use OpenShift. Other products we use do typically have an option for TLS without verification.
      3.2. For customers who are forced to use LDAP+TLS with certificates that fail verification, being able to use TLS without verification is better than plaintext LDAP because it addresses the real security
      threat of a passive listener. It is not as good as TLS with verification, because it does not address the threat of "man in the middle". But a partial solution is better than none.
      3.3. Even if/when customers are able to use valid certificates, when debugging issues, it is convenient to be able to turn off TLS verification as a debugging step. If the problems go away with TLS verification
      disabled, then we know it's a certificate issue. If the problem persists even with TLS verification disabled, we know to look at some other issue.

      Customer uggests adding an option to the OAuth kind at spec.identityProviders[].ldap, such as "tlsVerify". Default to true, but have an option for false. Combine with the existing "insecure" option like so:

      insecure==false && tlsVerify==true => TLS/SSL enabled with verification
      insecure==false && tlsVerify==false => TLS/SSL enabled without verification
      insecure==true && tlsVerify==true => TLS/SSL disabled
      insecure==true && tlsVerify==false => TLS/SSL disabled

      When "TLS without verification" is in effect, some specific items not to verify are hostname/subject matching, certificate expiration, CA expiration, and intermediate certification expiration.


      4. List any affected packages or components.

      Openshift Oauth





            anachand Anandnatraj Chandramohan
            rhn-support-kvatteka Krishna V S Vattekate
            0 Vote for this issue
            3 Start watching this issue