LDAP does not support StartTLS
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| OpenStack Compute (nova) |
Won't Fix
|
Wishlist
|
Unassigned | ||
Bug Description
I'm trying to use a single LDAP server for two regions with all of the LDAP traffic between the regions encrypted.
I've setup LDAP with TLS/SSL on ServerA. I've added all of the necessary Users/Groups/System stuff for nova. I know it's working because I have an LDAP client that I connect to ServerA with the parameters:
Hostname: ServerA
Port: 389
Encryption method: Use StartTLS Extension
When I login everything works fine.
However, when I change my nova.conf flags like the following:
--auth_
--ldap_
--ldap_
--ldap_
and try to run "nova-manage user admin admin-user" I get the error,
SERVER_DOWN: {'info': 'A TLS packet with unexpected length was received.', 'desc': "Can't contact LDAP server"}
I know that ldaps does *not* work with TLS/SSL but it's the closest I could get to making nova use the StartTLS Extension. I looked through the flags in ldapdriver.py and didn't see anything for it or any reference to TLS or SSL. I do see that ldapobject.py in python-ldap does support it.
I've attached a script to show how it works in python-ldap.
| Everett Toews (everett-toews) wrote | #1 |
| Changed in nova: | |
| importance: | Undecided → Wishlist |
| status: | New → Confirmed |
| Everett Toews (everett-toews) wrote | #2 |
| bastichelaar (bas-t) wrote | #3 |
| Everett Toews (everett-toews) wrote | #4 |
| Thierry Carrez (ttx) wrote | #5 |
| Changed in nova: | |
| status: | Confirmed → Won't Fix |
Removed line setting OPT_X_TLS_