search

xwikisas / application-activedirectory

Provides the UI to set up LDAP for Active Directory
GNU Lesser General Public License v2.1
1 stars 2 forks source link

When using LDAPS, identify the SSL Path and SSL provider automatically #62

Closed AndreeaChi closed 1 year ago

AndreeaChi commented 1 year ago

Is it possible when trying to use LDAPS with the Active Directory extension to identify the Path to SSL Keystore and the SSL Source Provider?

The benefit would be to avoid situations when the path or the source is completed incorrectly.

tmortagne commented 1 year ago

Note that from what I see in recent documentation, it's very possible setting the provider is totally useless now and that the default one would do just fine (meaning the fix would be to move the default from "com.sun.net.ssl.internal.ssl.Provider" to not setting it at all). That would make it something to do on generic LDAP authenticator side instead of the AD authenticator (but I guess there is some UI to remove to make things simpler in the AD application). To be tested.

oanat commented 1 year ago

Reported https://jira.xwiki.org/browse/LDAP-120.

snazare commented 1 year ago

will test "Add the possibility to not set the

xwiki.authentication.ldap.ssl.secure_provider (the default value is "com.sun.net.ssl.internal.ssl.Provider") as in recent documentation, it's very possible setting the provider is totally useless now and that the default one would do just fine."

oanalavinia commented 1 year ago

https://jira.xwiki.org/browse/LDAP-120 has been included with the upgrade to LDAP 9.11.0 in https://github.com/xwikisas/application-activedirectory/commit/38c3894f19394919134c84efdbc04354e94df0a2, so there is no need to fill in the provider anymore

For the path to SSL trust store, the idea of the issue was to avoid situations when this is filled in incorrectly, but I think that trying to provide a value could be more confusing, or even redundant. According to https://docs.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#X509TrustManager , JSSE already tries to find the certificate in one of the default locations (jssecacerts, then cacerts) in case another location was not specified, so there is no need to define other defaults. What I propose is to update the documention on store about this and point also to https://extensions.xwiki.org/xwiki/bin/view/Extension/LDAP/Authenticator/UseCases#HUseLDAPoverSSL28ldapsauthentication29 , since additional configurations might be needed indeed.

oanalavinia commented 1 year ago

Documentation updated at https://store.xwiki.com/xwiki/bin/view/Extension/ActiveDirectoryApplication#documentation