Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New LdapService.authenticate() API + TLS support #384

Merged
merged 7 commits into from
Aug 30, 2024
Merged

New LdapService.authenticate() API + TLS support #384

merged 7 commits into from
Aug 30, 2024

Conversation

lbwexler
Copy link
Member

@lbwexler lbwexler commented Aug 21, 2024
edited
Loading

Authenticate method is provided as support for a Forms based (backup) authentication directly against local AD

Re: TLS secured connection, which is orthogonal

  • Note that TLS is preferred over SSL, which is described as deprecated.
  • This phase enables the encryption with server certificate check. (Latter check can be disabled)

@lbwexler
+ New Authenticate Method on LdapService
87c762a 
+ Use TLS security/encryption in Apache Library
cnrudd
cnrudd reviewed Aug 22, 2024
View reviewed changes
Copy link
Member

@cnrudd cnrudd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like a great idea and a good thing to have to fallback on.

grails-app/services/io/xh/hoist/ldap/LdapService.groovy Outdated
* This method uses the underlying LDAP bind mechanism to verify user password and access.
*
* @param username -- sAMAccountName for user
* @param password -- credentials for user
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just a nit: "credentials" makes me wonder right away that more than one thing is expected.
can the doc say: "user's AD password"

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

agree, fixing now

grails-app/services/io/xh/hoist/ldap/LdapService.groovy Outdated
ret.useTls = true
if (config.requireCert == false) {
ret.setTrustManagers(new NoVerificationTrustManager())
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As discussed with Lee, I will explore using a trust store here.

@amcclain amcclain changed the title LdapService: new authenticate method + TLS support New LdapService.authenticate() API + TLS support Aug 30, 2024
@amcclain
Changelog / comment tweaks
db56fd4
@amcclain
Tweak new config option to skipTlsCertVerification
cf703e6 
+ Wanted a more explicit / clear name for this flag, using term "verification" to match use of `NoVerificationTrustManager`
@amcclain
Changelog note re switch to TLS, new skipTlsCertVerification flag
f05ba4f
@amcclain amcclain merged commit 86beab1 into develop Aug 30, 2024
3 checks passed
@amcclain amcclain deleted the ldapAuth branch August 30, 2024 23:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cnrudd cnrudd cnrudd left review comments

@amcclain amcclain Awaiting requested review from amcclain

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@lbwexler @cnrudd @amcclain