Well, I got it to work for me! 
This is what I did. We get a signed cert from our CA to we are
allowed to use. Its not tied to our host, so its nothing like you
dsecribed of generating a csr on our system to get signed. I then
modified in foreman the following file: vendor/plugins/ruby-net-ldap/
lib/net/ldap.rb
On line 1214 is where it will by default when using LDAPS try to use
simple_tls to make an encrypted connection. In this block after
ctx = OpenSSL::SSL::SSLContext.new
and before
@conn = OpenSSL::SSL::SSLSocket.new(@conn, ctx)
I added a line
ctx.cert = OpenSSL::X509::Certificate.new(File.read("/path/to/cert"))
So again the following:
ctx = OpenSSL::SSL::SSLContext.new
@conn = OpenSSL::SSL::SSLSocket.new(@conn, ctx)
Becomes:
ctx = OpenSSL::SSL::SSLContext.new
ctx.cert = OpenSSL::X509::Certificate.new(File.read("/path/to/cert"))
@conn = OpenSSL::SSL::SSLSocket.new(@conn, ctx)
This got OpenSSL connections using my cert to work. However, my
logins were still failing. I found out when changing my port to the
LDAPS port and checking to use LDAPS that foreman reset my 'Account
Password' from what it was to 'xxxxxxxxxxxxx'. So I had to set that
back. I think the fake masked password actually gets applied when you
make tweaks to other settings.
This took me a while to figure
out, this should get fixed.
So everything is working fine for me now after this hack. Seems
pretty simple to get to work, so it shouldn't be very hard to add this
functionality directly to foreman and have a text field to point to
what cert to use in the future. I believe the harder part is probably
everyone uses different tpyes of certs and whatnot so while this hack
is easy for my case, allowing a complete solution that works for
everyone could be more difficult.
Corey, if you are doing the private_key->csr->signed thingy, you may
need to have a block of code similar to mine with 1 extra line like:
ctx = OpenSSL::SSL::SSLContext.new
ctx.cert = OpenSSL::X509::Certificate.new(File.read("/path/to/cert"))
ctx.key = OpenSSL::PKey::RSA.new(File.open("/path/to/privkey"))
@conn = OpenSSL::SSL::SSLSocket.new(@conn, ctx)
Links to references that helped me out:
http://andyjeffries.co.uk/articles/x509-encrypted-authenticated-socket-ruby-client
http://www.spacevatican.org/2009/7/11/ruby-openssl-and-client-side-certificates
http://www.ruby-doc.org/stdlib/libdoc/openssl/rdoc/classes/OpenSSL.html
Regards,
Jake
···
On Apr 29, 5:35 pm, Corey Osman wrote:
> I think what we would need to do is the following:
>
> 1. get a csr (cert signing request) from the foreman server
> 2. Goto the CA (might be one of your ad servers)
>
> http://myadserverthathatistheCA/certsrv/Default.asp(our win2k3 server)
>
> 3. Request a certificate--> advanced certificate request
> 4. Paste in the base64 encoded cert request in the saved request box
> 5. Choose web server for certificate template
>
> 6. download the signed certificate and use this cert for your SSL connection to foreman and for foreman to use with ldaps.
> This is a very rough example of what it might look in your apache configuration.
> # Server Certificate
> SSLCertificateFile /etc/httpd/conf/ssl.crt/domainname.com.crt
> This is just a quick writeup and how I configured my ilo/ldap integration with AD the other day. This probably won't work since this is
> a foreman server but maybe someone else can chime in
> and adjust a few steps to get us into the right direction.
>
> Ideally, foreman should have a button to load the signed cert for ldaps but maybe this will suffice.
>
> Corey
>
> On Apr 29, 2011, at 9:01 AM, Jake - USPS wrote:
>
>
>
>
>
>
>
> > I'm running into this same situation. The replies so far do not seem
> > to address the certificate issue. Is there a way to do this?
>
> > Thanks,
> > Jake
>
> > On Apr 26, 1:55 am, Corey Osman wrote:
> >> Hey,
>
> >> Is anybody using AD with foreman? If so are you using LDAPS? I found
> >> out today that AD requires LDAPS when a ldap query requests a password
> >> to be sent for verification. This would also necessitate the need to
> >> have a certificate signed by the Active Directory CA. However, where
> >> does this certificate then get placed on the foreman server?
>
> >> Corey
>
> > --
> > You received this message because you are subscribed to the Google Groups "Foreman users" group.
> > To post to this group, send email to foreman-users@googlegroups.com.
> > To unsubscribe from this group, send email to foreman-users+unsubscribe@googlegroups.com.
> > For more options, visit this group athttp://groups.google.com/group/foreman-users?hl=en.