Enabling TLS on LDAP/Active Directory

To enable a secure Transport Layer Security (TLS) connection on LDAP/Active Directory, add the following to the LDAP configuration section of the file $PREFIX/etc/anaconda-server/config.yaml, replacing /path/to/certfile with the actual path to the certfile.:

LDAP:
  ...  # Rest of the LDAP config
  START_TLS: true,
  OPTIONS:
    OPT_PROTOCOL_VERSION: 3
    OPT_X_TLS_DEMAND: true
    OPT_X_TLS_REQUIRE_CERT: 'OPT_X_TLS_NEVER'
    OPT_X_TLS_CACERTFILE: '/path/to/certfile'

NOTE: START_TLS is not compatible with LDAPS. When using START_TLS, the URI value in the LDAP configuration section must start with ldap://. When using START_TLS, the connection starts as a regular connection, and is upgraded to use TLS after connection has been established.

If you’re using self-signed certificates, you’ll need to add OPT_X_TLS_NEWCTX as the last entry of the OPTIONS field of the LDAP options:

LDAP:
  ...  # Rest of the LDAP config
  START_TLS: true,
  OPTIONS:
    OPT_PROTOCOL_VERSION: 3
    OPT_X_TLS_DEMAND: true
    OPT_X_TLS_REQUIRE_CERT: 'OPT_X_TLS_NEVER'
    OPT_X_TLS_CACERTFILE: '/path/to/certfile'
    OPT_X_TLS_NEWCTX: 0

Using LDAP and TLS configuration options

URI

Start by setting URI to point to your server. The value of this setting can be anything that your LDAP library supports. For instance, openldap may allow you to give a comma- or space-separated list of URI values to try in sequence.

BIND_DN

The distinguished name to use when binding to the LDAP server with BIND_AUTH. Use the empty string—the default—for an anonymous bind.

BIND_AUTH

The password to use with BIND_DN.

ENABLE_GROUPS

This attribute enables LDAP group synchronization, allowing users to synchronize group membership with an LDAP directory. Defaults to false.

EXAMPLE:

ENABLE_GROUPS: true

GROUP_MEMBERS_ATTR

The LDAP attribute on a group object that indicates the users that are members of the group. Defaults to member.

EXAMPLE:

GROUP_MEMBERS_ATTR: 'member'

NOTE: Anaconda Repository assumes that the groups’ objectClass is groupOfNames (or a compatible schema).

REFRESH_INTERVAL

The number of seconds that group membership information from LDAP is used before being fetched from the directory server again. Defaults to 3600, which is 1 hour.

EXAMPLE:

REFRESH_INTERVAL: 600

KEY_MAP

This is a dict mapping application context to LDAP. An application may expect user data to be consistent, and not all LDAP setups use the same configuration:

'application_key': 'ldap_key'

EXAMPLE:

KEY_MAP={'name': 'cn', 'company': 'o', 'email': 'mail'}

START_TLS

If true, each connection to the LDAP server calls start_tls_s() to enable TLS encryption over the standard LDAP port. There are a number of configuration options that can be given to OPTIONS that affect the TLS connection. For example, OPT_X_TLS_REQUIRE_CERT can be set to OPT_X_TLS_NEVER to disable certificate verification, perhaps to allow self-signed certificates.

OPTIONS

This stores LDAP specific options.

EXAMPLE:

LDAP:
    OPTIONS:
        OPT_PROTOCOL_VERSION: 3
        OPT_X_TLS_REQUIRE_CERT: 'OPT_X_TLS_NEVER'

TLS—secure LDAP

To enable a secure TLS connection you must set START_TLS to true. There are a number of configuration options for OPTIONS that affect the TLS connection.

EXAMPLE: OPT_X_TLS_REQUIRE_CERT set to OPT_X_TLS_NEVER disables certificate verification, perhaps to allow self-signed certificates:

LDAP:
    START_TLS: true
    OPTIONS:
        OPT_PROTOCOL_VERSION: 3
        OPT_X_TLS_DEMAND: true
        OPT_X_TLS_REQUIRE_CERT: 'OPT_X_TLS_NEVER'
        OPT_X_TLS_CACERTFILE: '/path/to/certfile'