[Rt-commit] rt branch 5.0/ldap-cafile-capath-docs created. rt-5.0.2-57-ga009e95f84

[BPS Git Server]

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "rt".

The branch, 5.0/ldap-cafile-capath-docs has been created
        at  a009e95f843efba2f07066852d3aed274467064f (commit)

- Log -----------------------------------------------------------------
commit a009e95f843efba2f07066852d3aed274467064f
Author: Brett Smith <brett at bestpractical.com>
Date:   Thu Jan 13 11:04:56 2022 -0500

    Document how to use capath and cafile with LDAP
    
    Using capath will be easier for most administrators whose certificates
    are signed by a public authority. Document how to do so.

diff --git a/lib/RT/Authen/ExternalAuth/LDAP.pm b/lib/RT/Authen/ExternalAuth/LDAP.pm
index 148d0eab7f..adc7b4ab94 100644
--- a/lib/RT/Authen/ExternalAuth/LDAP.pm
+++ b/lib/RT/Authen/ExternalAuth/LDAP.pm
@@ -178,11 +178,25 @@ group_attr above? Optional; defaults to C<dn>.
 Should we try to use TLS to encrypt connections?  Either a scalar, for
 simple enabling, or a hash of values to pass to L<Net::LDAP/start_tls>.
 By default, L<Net::LDAP> does B<no> certificate validation!  To validate
-certificates, pass:
+certificates, you must pass a hash with the C<verify> option set, along
+with either C<capath> or C<cafile>.
 
-    tls => { verify => 'require',
-             cafile => "/etc/ssl/certs/ca.pem",  # Path CA file
-           },
+C<capath> is a directory that contains certificates named using the hash
+value of the certificates' subject names. On Debian-based distributions,
+you can validate against public certificate authorities by passing:
+
+    tls => { verify => 'require', capath => "/etc/ssl/certs" },
+
+On Red Hat-based distributions, you can validate against public certificate
+authorities by passing:
+
+    tls => { verify => 'require', capath => "/etc/pki/tls/certs" },
+
+If you don't have this directory set up, or if you want to validate the
+LDAP server certificate against a specific certificate authority, you can
+pass the path to one public certificate in the C<cafile> option:
+
+    tls => { verify => 'require', cafile => "/etc/YourCACertPath.pem" },
 
 =item net_ldap_args
 

commit c3c9287ac7513cdb207472172d69bf94f72d891c
Author: Brett Smith <brett at bestpractical.com>
Date:   Thu Jan 13 11:02:58 2022 -0500

    Fix tls example in ExternalAuth LDAP docs
    
    Net::LDAP can use either capath, which is a *directory* to certs, or
    cafile, which a single certificate. This example is pointing to a
    single file, so update the key name to match.

diff --git a/lib/RT/Authen/ExternalAuth/LDAP.pm b/lib/RT/Authen/ExternalAuth/LDAP.pm
index f928ba9b8f..148d0eab7f 100644
--- a/lib/RT/Authen/ExternalAuth/LDAP.pm
+++ b/lib/RT/Authen/ExternalAuth/LDAP.pm
@@ -81,7 +81,7 @@ Provides the LDAP implementation for L<RT::Authen::ExternalAuth>.
             'group'                     =>  'GROUP_NAME',
             'group_attr'                =>  'GROUP_ATTR',
 
-            'tls'                       =>  { verify => "require", capath => "/path/to/ca.pem" },
+            'tls'                       =>  { verify => "require", cafile => "/path/to/ca.pem" },
 
             'net_ldap_args'             => [    version =>  3   ],
 

-----------------------------------------------------------------------


hooks/post-receive
-- 
rt