Feature #36026
openMake Foreman support StartTLS on LDAP connections
Description
LDAP with StartTLS should be favoured over LDAPs, but not all agree to this, so Foreman needs to support both.
github.com/katello/ldap_fluff supports both with LDAPs being simple_tls and LDAP with StartTLS being start_tls.
I changed the support for a customer by simply switch the option at https://github.com/theforeman/foreman/blob/develop/app/models/auth_sources/auth_source_ldap.rb#L100, so Foreman works fine using StartTLS.
To implement this in the UI I see two option:
- Have only one checkbox like now, but change the description to TLS and if the port is a standard LDAP port (389 or 3268) use start_tls, if it is an LDAPs port (636 or 3269) use simple_tls. Disadvantage we do not know how to handle custom ports!
- Add another chechbox for StartTLS or better some selection between unencrypted, StartTLS and LDAPs (with StartTLS being the default). Disadvantage is a user more likely mixes things up or we need a more complicated way to provide sane defaults (like now when checking the LDAPs box it switches the port to 636)!
The old issue for this was closed because of inactivity: https://projects.theforeman.org/issues/7016
Switching the implementation silently had to be reverted, as support for both is needed: https://projects.theforeman.org/issues/7003
For the need see the community post: https://community.theforeman.org/t/ldap-auth-failing-for-bind-user/32037