Bug 57098 – make StartTLS configurable in univention.uldap

Bug 57098 - make StartTLS configurable in univention.uldap


Summary:	make StartTLS configurable in univention.uldap

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	LDAP
Version:	UCS 5.0
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 5.0-6-errata
Assigned To:	Maximilian Janßen
QA Contact:	Florian Best

URL:	https://git.knut.univention.de/univen...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2024-02-29 14:10 CET by Maximilian Janßen
Modified:	2024-03-07 13:07 CET (History)
CC List:	1 user (show)

See Also:
What kind of report is it?:	Feature Request
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Maximilian Janßen

2024-02-29 14:10:25 CET

Currently univention.uldap forces to encrypt connections via StartTLS.
It should be possible to disable this via an UCR variable for environment which don't require it, e.g. in Kubernetes.

Comment 1 Maximilian Janßen

2024-03-05 09:04:24 CET

added ucr variable directory/manager/starttls to set the starttls mode (0=off, 1=optional, 2=on; default=2)

4f88b167c7dca6e52fb3b1974dd82e4a2d95ab08 | feat(uldap): make StartTLS UCR configurable

Comment 2 Maximilian Janßen

2024-03-05 15:31:28 CET

removed hard-coded values from …, which causes them to default back to the config value.
* … univention-ad-connector …
* … univention-pkgdb …
* … univention-s4-connector …

there are still hardcoded values present in:
* univention-samba4
* univention-printserver
* univention-directory-reports
* tests

97d5e9318fe85cf40bb98a4e3e92f421a2d06052 | feat(uldap): make StartTLS UCR configurable in more packages

Comment 3 Florian Best

2024-03-05 16:40:26 CET

OK: starttls mode configurable via directory/manager/starttls
OK: advisories
OK: code review

univention-s4-connector.yaml
97d5e9318fe8 | feat(uldap): make StartTLS UCR configurable in more packages

univention-s4-connector (14.0.16-5)
97d5e9318fe8 | feat(uldap): make StartTLS UCR configurable in more packages

univention-python.yaml
4f88b167c7dc | feat(uldap): make StartTLS UCR configurable

univention-python (13.0.5-3)
4f88b167c7dc | feat(uldap): make StartTLS UCR configurable

univention-pkgdb.yaml
97d5e9318fe8 | feat(uldap): make StartTLS UCR configurable in more packages

univention-pkgdb (13.0.5-2)
97d5e9318fe8 | feat(uldap): make StartTLS UCR configurable in more packages

univention-directory-manager-modules.yaml
4f88b167c7dc | feat(uldap): make StartTLS UCR configurable

univention-directory-manager-modules (15.0.25-18)
4f88b167c7dc | feat(uldap): make StartTLS UCR configurable

univention-directory-manager-module-example (9.0.2-2)
97d5e9318fe8 | feat(uldap): make StartTLS UCR configurable in more packages

univention-ad-connector.yaml
97d5e9318fe8 | feat(uldap): make StartTLS UCR configurable in more packages

univention-ad-connector (9.0.11-4)
r57098 | Bug #37450: Make object mapping to return properly cased LDAP base in DNs

univention-ad-connector (14.0.17-4)
97d5e9318fe8 | feat(uldap): make StartTLS UCR configurable in more packages

Comment 4 Philipp Hahn

2024-03-07 13:07:38 CET

<https://errata.software-univention.de/#/?erratum=5.0x983>
<https://errata.software-univention.de/#/?erratum=5.0x984>
<https://errata.software-univention.de/#/?erratum=5.0x986>
<https://errata.software-univention.de/#/?erratum=5.0x990>
<https://errata.software-univention.de/#/?erratum=5.0x991>