LDAP Connector requries cert-file

[lordfolken]

When configuring an LDAP connection in Velum, the form requires a certificate, despite the "StartTLS" option being off.

As soon as you hit "test connection": Missing form data

[lordfolken]

Also the text below the StartTLS button is misleading.

When enabled use StartTLS otherwise TLS will be used
should be:
When enabled use StartTLS otherwise SSL will be used

[lordfolken]

It seems the form requires an encrypted connection in any case. The combination
Port: 389
StartTLS: off
Certificate: none

is not valid.

[stefsuse]

I seem to remember this was resolved in an update, can you confirm @nanoscopic ? Thanks

[nanoscopic]

TLS is SSL ( see https://en.wikipedia.org/wiki/Transport_Layer_Security )
There isn't any meaningful difference between saying it uses TLS or that is uses SSL. In this case, it says it uses TLS because the feature involved is StartTLS. To read more about StartTLS and what it means/does, go here: https://en.wikipedia.org/wiki/Opportunistic_TLS

In the context of this feature, StartTLS being used means that the connection starts unencrypted and then is upgraded to be secure using the provided certificate.

We have intentionally not provided the ability to use a completely unencrypted connection for authentication. It is unwise and unsafe in so many ways to do so.

I could see that the error message "missing form data" is bad and should be refined though, so I will leave this issue open and start a task internally to improve the message.

We have no intent of providing an unencrypted connection for auth purposes, neither now or in the future. Feel free to fork the project and add the feature if you want. It's open source. :)

[nanoscopic]

You may also want to take a look at https://www.eff.org/encrypt-the-web
There is a general movement going on globally to encrypt all connections in order to make the internet safer to use for everyone. The same principles apply equally to connections between different services.

This is also true within a company intranet environment as it is possible to poison ARP tables and potentially MITM the connection between a cluster and an authentication LDAP server. This is why it is bad practice to use an unencrypted connection there and we don't support it.

By enforcing that the issuing CA certificate is uploaded we are effectively doing a form of certificate pinning. See https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning

When you do encrypt your LDAP server connection, make sure to note that the uploaded certificate is the one for the issuing CA, not the certificate for the LDAP server itself.

If your LDAP server is available at a public hostname/FQDN, and you need to get a certificate for it, you may wish to consider LetsEncrypt. It is free. See https://letsencrypt.org/

[ukbelch]

What @nanoscopic said.

TLS is just a modern version of SSL, the latter being essentially deprecated. StartTLS is simply a mechanism that is used to promote an insecure communication channel to a secure one (be it TLS or SSL).

However in both cases (TLS or StartTLS), the communication is, and should, be encrypted, and the server must be trusted, hence the need to provide a valid root of trust (the CA public certificate).

There is no valid use case where not protecting such critical traffic is advisable.

[MalloZup]

This GitHub issue/PR is unactive since long time. Is this GitHub ISSUE/PR still needed? Please close or update it accordingly.
This reminder is autogenerated by https://github.com/MalloZup/blacktango