Enabling TLS on LDAP/Active Directory#

To enable a secure Transport Layer Security (TLS) connection on LDAP/Active Directory, add the following to the LDAP configuration section of the file $PREFIX/etc/anaconda-server/config.yaml, replacing /path/to/certfile with the actual path to the certfile.:

LDAP:
  ...  # Rest of the LDAP config
  START_TLS: true,
  OPTIONS:
    OPT_PROTOCOL_VERSION: 3
    OPT_X_TLS_DEMAND: true
    OPT_X_TLS_REQUIRE_CERT: 'OPT_X_TLS_NEVER'
    OPT_X_TLS_CACERTFILE: '/path/to/certfile'

NOTE: START_TLS is not compatible with LDAPS. When using START_TLS, the URI value in the LDAP configuration section must start with ldap://. When using START_TLS, the connection starts as a regular connection, and is upgraded to use TLS after connection has been established.

If you’re using self-signed certificates, you’ll need to add OPT_X_TLS_NEWCTX as the last entry of the OPTIONS field of the LDAP options:

LDAP:
  ...  # Rest of the LDAP config
  START_TLS: true,
  OPTIONS:
    OPT_PROTOCOL_VERSION: 3
    OPT_X_TLS_DEMAND: true
    OPT_X_TLS_REQUIRE_CERT: 'OPT_X_TLS_NEVER'
    OPT_X_TLS_CACERTFILE: '/path/to/certfile'
    OPT_X_TLS_NEWCTX: 0

Using LDAP and TLS configuration options#

URI#

Start by setting URI to point to your server. The value of this setting can be anything that your LDAP library supports. For instance, openldap may allow you to give a comma- or space-separated list of URI values to try in sequence.

BIND_DN#

The distinguished name to use when binding to the LDAP server with BIND_AUTH. Use the empty string—the default—for an anonymous bind.

BIND_AUTH#

The password to use with BIND_DN.

ENABLE_GROUPS#

This attribute enables LDAP group synchronization, allowing users to synchronize group membership with an LDAP directory. Defaults to false.

EXAMPLE:

ENABLE_GROUPS: true

GROUP_MEMBERS_ATTR#

The LDAP attribute on a group object that indicates the users that are members of the group. Defaults to member.

EXAMPLE:

GROUP_MEMBERS_ATTR: 'member'

NOTE: Anaconda Enterprise 4 Repository assumes that the groups’ objectClass is groupOfNames (or a compatible schema).

REFRESH_INTERVAL#

The number of seconds that group membership information from LDAP is used before being fetched from the directory server again. Defaults to 3600, which is 1 hour.

EXAMPLE:

REFRESH_INTERVAL: 600

KEY_MAP#

This is a dict mapping application context to LDAP. An application may expect user data to be consistent, and not all LDAP setups use the same configuration:

'application_key': 'ldap_key'

EXAMPLE:

KEY_MAP={'name': 'cn', 'company': 'o', 'email': 'mail'}

START_TLS#

If true, each connection to the LDAP server calls start_tls_s() to enable TLS encryption over the standard LDAP port. There are a number of configuration options that can be given to OPTIONS that affect the TLS connection. For example, OPT_X_TLS_REQUIRE_CERT can be set to OPT_X_TLS_NEVER to disable certificate verification, perhaps to allow self-signed certificates.

OPTIONS#

This stores LDAP specific options.

EXAMPLE:

LDAP:
    OPTIONS:
        OPT_PROTOCOL_VERSION: 3
        OPT_X_TLS_REQUIRE_CERT: 'OPT_X_TLS_NEVER'

TLS—secure LDAP#

To enable a secure TLS connection you must set START_TLS to true. There are a number of configuration options for OPTIONS that affect the TLS connection.

EXAMPLE: OPT_X_TLS_REQUIRE_CERT set to OPT_X_TLS_NEVER disables certificate verification, perhaps to allow self-signed certificates:

LDAP:
    START_TLS: true
    OPTIONS:
        OPT_PROTOCOL_VERSION: 3
        OPT_X_TLS_DEMAND: true
        OPT_X_TLS_REQUIRE_CERT: 'OPT_X_TLS_NEVER'
        OPT_X_TLS_CACERTFILE: '/path/to/certfile'