Bug #9858
Updated by Dominic Cleal about 9 years ago
*This issue is currently embargoed and may not be discussed in public. Keep comments to this ticket or the foreman-security mailing list.* Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1194393 Description of problem: Version-Release number of selected component (if applicable): Red Hat Satellite 6.0.7 Active Directory When making an SSL connection How reproducible: Steps to an Reproduce: 1. Setup up a LDAP authentication Authentication source to Active Directory 2. Create a user in Foreman, AD 3. Login with the remote server certificate is accepted without any verification against known certificate authorities. AD user on satellite 6 webUI This can allow the LDAP connection between Foreman Actual results: Fails with incorrect user and the LDAP server to be attacked, and a different LDAP server could be contacted to authenticate users to Foreman. task is hung at Actions::Pulp::User::Create (error) Actions::Pulp::Superuser::Add (pending) Expected behaviour is that the certificate authority for the results: AD authentication with Satellite 6 should work with LDAP server should be stored and trusted somewhere, e.g. the system trust store (/etc/pki/tls/certs/ca-bundle.crt, or via update-ca-certificates). Affects Foreman 1.3.0 or higher - since Puppet was removed as a dependency, the default SSL behaviour went back to no verification. LDAP+TLS Additional info: