Mercurial > kallithea
comparison docs/setup.rst @ 6330:7ce3897bacd0
auth: make ldap OPT_X_TLS_CACERTDIR configurable
A location was hardcoded. The location was wrong for many systems and prevented
actual TLS from working. Also, it should not be necessary with modern Pythons.
For some reason, instead of removing it, we now decide to expose it to the
user. Choice FTW!
| author | Mads Kiilerich <madski@unity3d.com> |
|---|---|
| date | Tue, 15 Nov 2016 22:53:41 +0100 |
| parents | d6942b2b421c |
| children | 949c843bb535 |
comparison
equal
deleted
inserted
replaced
| 6329:16b685da1117 | 6330:7ce3897bacd0 |
|---|---|
| 233 .. _Certificate Checks: | 233 .. _Certificate Checks: |
| 234 | 234 |
| 235 Certificate Checks : optional | 235 Certificate Checks : optional |
| 236 How SSL certificates verification is handled -- this is only useful when | 236 How SSL certificates verification is handled -- this is only useful when |
| 237 `Enable LDAPS`_ is enabled. Only DEMAND or HARD offer full SSL security | 237 `Enable LDAPS`_ is enabled. Only DEMAND or HARD offer full SSL security |
| 238 while the other options are susceptible to man-in-the-middle attacks. SSL | 238 with mandatory certificate validation, while the other options are |
| 239 certificates can be installed to /etc/openldap/cacerts so that the | 239 susceptible to man-in-the-middle attacks. |
| 240 DEMAND or HARD options can be used with self-signed certificates or | |
| 241 certificates that do not have traceable certificates of authority. | |
| 242 | 240 |
| 243 NEVER | 241 NEVER |
| 244 A serve certificate will never be requested or checked. | 242 A serve certificate will never be requested or checked. |
| 245 | 243 |
| 246 ALLOW | 244 ALLOW |
| 257 A server certificate is requested and must be provided and | 255 A server certificate is requested and must be provided and |
| 258 authenticated for the session to proceed. | 256 authenticated for the session to proceed. |
| 259 | 257 |
| 260 HARD | 258 HARD |
| 261 The same as DEMAND. | 259 The same as DEMAND. |
| 260 | |
| 261 .. _Custom CA Certificates: | |
| 262 | |
| 263 Custom CA Certificates : optional | |
| 264 Directory used by OpenSSL to find CAs for validating the LDAP server certificate. | |
| 265 Python 2.7.10 and later default to using the system certificate store, and | |
| 266 this should thus not be necessary when using certificates signed by a CA | |
| 267 trusted by the system. | |
| 268 It can be set to something like `/etc/openldap/cacerts` on older systems or | |
| 269 if using self-signed certificates. | |
| 262 | 270 |
| 263 .. _Base DN: | 271 .. _Base DN: |
| 264 | 272 |
| 265 Base DN : required | 273 Base DN : required |
| 266 The Distinguished Name (DN) where searches for users will be performed. | 274 The Distinguished Name (DN) where searches for users will be performed. |