Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LDAP ports hardcoded #276

Open
stoeps13 opened this issue May 10, 2023 · 1 comment
Open

LDAP ports hardcoded #276

stoeps13 opened this issue May 10, 2023 · 1 comment
Labels
internal wi created

Comments

@stoeps13
Copy link
Contributor

Hi,
I tried to install a system with an already installed LDAP server (Domino, Active Directory) on 389 only and then 636 only.

The TDI installation uses a Jinja2 template for profiles_tdi.properties

connections-automation/roles/third_party/ibm/tdi-install/templates/profiles_tdi.properties.j2

Line 19 in 6284e97

source_ldap_url=ldap://{{ __ldap_server }}:389
which has no option for LDAPS.

Here it needs 3 steps:

  1. Change port to a variable
  2. Option for SSL true or false to set

    connections-automation/roles/third_party/ibm/tdi-install/templates/profiles_tdi.properties.j2

    Line 53 in 6284e97

    source_ldap_use_ssl=false
  3. Import LDAPS root cert into a jks file, which is referenced in solution.properties

LDAP without SSL is not possible in production environments.

Was ND deployment makes it weird.

The LDAP server is added without SSL and port 389 here:

connections-automation/roles/third_party/ibm/wasnd/was-dmgr-config-ldap/templates/was_config_ldap.py.j2

Line 4 in 6284e97

AdminTask.addIdMgrLDAPServer('[-id {{ __ldap_repo }} -host {{ __ldap_server }} -bindDN {{ __ldap_bind_user }} -bindPassword {{ __ldap_bind_pass }} -referal ignore -sslEnabled false -ldapServerType CUSTOM -sslConfiguration -certificateMapMode exactdn -certificateFilter -authentication simple -port 389]')

But here

connections-automation/roles/third_party/ibm/wasnd/was-dmgr-import-tls-cert/templates/was_import_tls_cert.py.j2

Line 2 in 6284e97

AdminTask.retrieveSignerFromPort('[-keyStoreName CellDefaultTrustStore -keyStoreScope (cell):'+cellID+' -host {{ __ldap_server }} -port 636 -certificateAlias {{ __ldap_alias }} -sslConfigName CellDefaultSSLSettings -sslConfigScopeName (cell):'+cellID+' ]')
the LDAPS root certificate is imported.

So, same as in TDI, I would recommend using 636 only (or with variable). The import of the TLS cert should only happen when port 636 or ldap_tls_enable=true is set.

You see, the setup is only possible if both protocols are enabled, but the only unecrypted connection is used.
@nitinjagjivan
Copy link
Collaborator

Thank you for reporting it, internal issue ticket created to investigate.

@marde16 marde16 mentioned this issue Jul 20, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
internal wi created
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@stoeps13 @nitinjagjivan