LDAP does not support StartTLS
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Won't Fix
|
Wishlist
|
Unassigned |
Bug Description
I'm trying to use a single LDAP server for two regions with all of the LDAP traffic between the regions encrypted.
I've setup LDAP with TLS/SSL on ServerA. I've added all of the necessary Users/Groups/System stuff for nova. I know it's working because I have an LDAP client that I connect to ServerA with the parameters:
Hostname: ServerA
Port: 389
Encryption method: Use StartTLS Extension
When I login everything works fine.
However, when I change my nova.conf flags like the following:
--auth_
--ldap_
--ldap_
--ldap_
and try to run "nova-manage user admin admin-user" I get the error,
SERVER_DOWN: {'info': 'A TLS packet with unexpected length was received.', 'desc': "Can't contact LDAP server"}
I know that ldaps does *not* work with TLS/SSL but it's the closest I could get to making nova use the StartTLS Extension. I looked through the flags in ldapdriver.py and didn't see anything for it or any reference to TLS or SSL. I do see that ldapobject.py in python-ldap does support it.
I've attached a script to show how it works in python-ldap.
Changed in nova: | |
importance: | Undecided → Wishlist |
status: | New → Confirmed |
Removed line setting OPT_X_TLS_ CACERTFILE from script. It's unnecessary.