[Rt-commit] rt branch 5.0/ldap-cafile-capath-docs created. rt-5.0.2-57-g0e2f4879fe
BPS Git Server
git at git.bestpractical.com
Fri Jan 21 21:41:32 UTC 2022
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "rt".
The branch, 5.0/ldap-cafile-capath-docs has been created
at 0e2f4879fec7931d3b424f7a30622377a10130da (commit)
- Log -----------------------------------------------------------------
commit 0e2f4879fec7931d3b424f7a30622377a10130da
Author: Brett Smith <brett at bestpractical.com>
Date: Thu Jan 13 11:04:56 2022 -0500
Document how to use capath and cafile with LDAP
Using capath will be easier for most administrators whose certificates
are signed by a public authority. Document how to do so.
diff --git a/lib/RT/Authen/ExternalAuth/LDAP.pm b/lib/RT/Authen/ExternalAuth/LDAP.pm
index 148d0eab7f..8c00edb954 100644
--- a/lib/RT/Authen/ExternalAuth/LDAP.pm
+++ b/lib/RT/Authen/ExternalAuth/LDAP.pm
@@ -178,11 +178,31 @@ group_attr above? Optional; defaults to C<dn>.
Should we try to use TLS to encrypt connections? Either a scalar, for
simple enabling, or a hash of values to pass to L<Net::LDAP/start_tls>.
By default, L<Net::LDAP> does B<no> certificate validation! To validate
-certificates, pass:
+certificates, you must pass a hash with the C<verify> option set, along
+with either C<capath> or C<cafile>.
- tls => { verify => 'require',
- cafile => "/etc/ssl/certs/ca.pem", # Path CA file
- },
+C<capath> is a directory that contains certificates named using the hash
+value of the certificates' subject names. On Debian-based distributions, the
+L<C<ca-certificates> package manages a directory
+C</etc/ssl/certs>|https://sources.debian.org/src/ca-certificates/latest/debian/README.Debian/>
+suitable for this purpose. You can validate against public certificate
+authorities by passing:
+
+ tls => { verify => 'require', capath => "/etc/ssl/certs" },
+
+On Red Hat-based distributions, the L<C<ca-certificates> package manages a
+directory
+C</etc/pki/tls/certs>|https://www.redhat.com/sysadmin/ca-certificates-cli>
+suitable for this purpose. You can validate against public certificate
+authorities by passing:
+
+ tls => { verify => 'require', capath => "/etc/pki/tls/certs" },
+
+If you don't have this directory set up, or if you want to validate the
+LDAP server certificate against a specific certificate authority, you can
+pass the path to one public certificate in the C<cafile> option:
+
+ tls => { verify => 'require', cafile => "/etc/YourCACertPath.pem" },
=item net_ldap_args
commit c3c9287ac7513cdb207472172d69bf94f72d891c
Author: Brett Smith <brett at bestpractical.com>
Date: Thu Jan 13 11:02:58 2022 -0500
Fix tls example in ExternalAuth LDAP docs
Net::LDAP can use either capath, which is a *directory* to certs, or
cafile, which a single certificate. This example is pointing to a
single file, so update the key name to match.
diff --git a/lib/RT/Authen/ExternalAuth/LDAP.pm b/lib/RT/Authen/ExternalAuth/LDAP.pm
index f928ba9b8f..148d0eab7f 100644
--- a/lib/RT/Authen/ExternalAuth/LDAP.pm
+++ b/lib/RT/Authen/ExternalAuth/LDAP.pm
@@ -81,7 +81,7 @@ Provides the LDAP implementation for L<RT::Authen::ExternalAuth>.
'group' => 'GROUP_NAME',
'group_attr' => 'GROUP_ATTR',
- 'tls' => { verify => "require", capath => "/path/to/ca.pem" },
+ 'tls' => { verify => "require", cafile => "/path/to/ca.pem" },
'net_ldap_args' => [ version => 3 ],
-----------------------------------------------------------------------
hooks/post-receive
--
rt
More information about the rt-commit
mailing list