Hey,

Is anybody using AD with foreman? If so are you using LDAPS? I found
out today that AD requires LDAPS when a ldap query requests a password
to be sent for verification. This would also necessitate the need to
have a certificate signed by the Active Directory CA. However, where
does this certificate then get placed on the foreman server?

Corey

Hello!

I am indeed using Active Directory (Win2k3) but unfortunately not via
LDAPS.
Usually this is not necessary to implement authentication for foreman
(despite it would be more secure of course).

I created a normal AD useraccount with limited rights, which is used to do
the initial bind to LDAP. After that Foreman (or any other application will
do a bind the users credentials).

Currently I am using the settings like displayed on
LDAP Authentication - Foreman except for
the LDAPS part.

I hope this helps.

Kind regards
Hannes

I'm running into this same situation. The replies so far do not seem
to address the certificate issue. Is there a way to do this?

Thanks,
Jake

note that its also possible to use the current user credentials in order
to bind to AD in the first place.

this binds to LDAP with the user name and password, if it works, then
the user is searched and if found - authenticated.

Ohad

I think what we would need to do is the following:

1. get a csr (cert signing request) from the foreman server
2. Goto the CA (might be one of your ad servers)

http://myadserverthathatistheCA/certsrv/Default.asp (our win2k3 server)

3. Request a certificate–> advanced certificate request

4. Paste in the base64 encoded cert request in the saved request box

5. Choose web server for certificate template

6. download the signed certificate and use this cert for your SSL connection to foreman and for foreman to use with ldaps.
   This is a very rough example of what it might look in your apache configuration.

Server Certificate

SSLCertificateFile /etc/httpd/conf/ssl.crt/domainname.com.crt
This is just a quick writeup and how I configured my ilo/ldap integration with AD the other day. This probably won't work since this is
a foreman server but maybe someone else can chime in
and adjust a few steps to get us into the right direction.

Ideally, foreman should have a button to load the signed cert for ldaps but maybe this will suffice.

Corey

Well, I got it to work for me!

This is what I did. We get a signed cert from our CA to we are
allowed to use. Its not tied to our host, so its nothing like you
dsecribed of generating a csr on our system to get signed. I then
modified in foreman the following file: vendor/plugins/ruby-net-ldap/
lib/net/ldap.rb

On line 1214 is where it will by default when using LDAPS try to use
simple_tls to make an encrypted connection. In this block after

ctx = OpenSSL::SSL::SSLContext.new

and before

@conn = OpenSSL::SSL::SSLSocket.new(@conn, ctx)

I added a line

ctx.cert = OpenSSL::X509::Certificate.new(File.read("/path/to/cert"))

So again the following:

ctx = OpenSSL::SSL::SSLContext.new
@conn = OpenSSL::SSL::SSLSocket.new(@conn, ctx)

Becomes:

ctx = OpenSSL::SSL::SSLContext.new
ctx.cert = OpenSSL::X509::Certificate.new(File.read("/path/to/cert"))
@conn = OpenSSL::SSL::SSLSocket.new(@conn, ctx)

This got OpenSSL connections using my cert to work. However, my
logins were still failing. I found out when changing my port to the
LDAPS port and checking to use LDAPS that foreman reset my 'Account
Password' from what it was to 'xxxxxxxxxxxxx'. So I had to set that
back. I think the fake masked password actually gets applied when you
make tweaks to other settings. This took me a while to figure
out, this should get fixed.

So everything is working fine for me now after this hack. Seems
pretty simple to get to work, so it shouldn't be very hard to add this
functionality directly to foreman and have a text field to point to
what cert to use in the future. I believe the harder part is probably
everyone uses different tpyes of certs and whatnot so while this hack
is easy for my case, allowing a complete solution that works for
everyone could be more difficult.

Corey, if you are doing the private_key->csr->signed thingy, you may
need to have a block of code similar to mine with 1 extra line like:

ctx = OpenSSL::SSL::SSLContext.new
ctx.cert = OpenSSL::X509::Certificate.new(File.read("/path/to/cert"))
ctx.key = OpenSSL::PKey::RSA.new(File.open("/path/to/privkey"))
@conn = OpenSSL::SSL::SSLSocket.new(@conn, ctx)

Links to references that helped me out:

http://andyjeffries.co.uk/articles/x509-encrypted-authenticated-socket-ruby-client
http://www.spacevatican.org/2009/7/11/ruby-openssl-and-client-side-certificates
http://www.ruby-doc.org/stdlib/libdoc/openssl/rdoc/classes/OpenSSL.html

Regards,
Jake

> Well, I got it to work for me!

great! would be awesome to get a patch for it
>
> This is what I did. We get a signed cert from our CA to we are
> allowed to use. Its not tied to our host, so its nothing like you
> dsecribed of generating a csr on our system to get signed. I then
> modified in foreman the following file: vendor/plugins/ruby-net-ldap/
> lib/net/ldap.rb
>
> On line 1214 is where it will by default when using LDAPS try to use
> simple_tls to make an encrypted connection. In this block after
>
> ctx = OpenSSL::SSL::SSLContext.new
>
> and before
>
> @conn = OpenSSL::SSL::SSLSocket.new(@conn, ctx)
>
> I added a line
>
> ctx.cert = OpenSSL::X509::Certificate.new(File.read("/path/to/cert"))
>
> So again the following:
>
> ctx = OpenSSL::SSL::SSLContext.new
> @conn = OpenSSL::SSL::SSLSocket.new(@conn, ctx)
>
> Becomes:
>
> ctx = OpenSSL::SSL::SSLContext.new
> ctx.cert = OpenSSL::X509::Certificate.new(File.read("/path/to/cert"))
> @conn = OpenSSL::SSL::SSLSocket.new(@conn, ctx)
>
> This got OpenSSL connections using my cert to work. However, my
> logins were still failing. I found out when changing my port to the
> LDAPS port and checking to use LDAPS that foreman reset my 'Account
> Password' from what it was to 'xxxxxxxxxxxxx'. So I had to set that
> back. I think the fake masked password actually gets applied when you
> make tweaks to other settings. This took me a while to figure
> out, this should get fixed.

ouch - would you mind creating a bug?

>
> So everything is working fine for me now after this hack. Seems
> pretty simple to get to work, so it shouldn't be very hard to add this
> functionality directly to foreman and have a text field to point to
> what cert to use in the future. I believe the harder part is probably
> everyone uses different tpyes of certs and whatnot so while this hack
> is easy for my case, allowing a complete solution that works for
> everyone could be more difficult.
>
> Corey, if you are doing the private_key->csr->signed thingy, you may
> need to have a block of code similar to mine with 1 extra line like:
>
> ctx = OpenSSL::SSL::SSLContext.new
> ctx.cert = OpenSSL::X509::Certificate.new(File.read("/path/to/cert"))
> ctx.key = OpenSSL::PKey::RSA.new(File.open("/path/to/privkey"))
> @conn = OpenSSL::SSL::SSLSocket.new(@conn, ctx)
>
> Links to references that helped me out:
>
> http://andyjeffries.co.uk/articles/x509-encrypted-authenticated-socke...http://www.spacevatican.org/2009/7/11/ruby-openssl-and-client-side-ce...http://www.ruby-doc.org/stdlib/libdoc/openssl/rdoc/classes/OpenSSL.html
>
> Regards,
> Jake

Thanks!
Ohad

Did this functionality ever get built-in? I'm just looking at the same
thing with Foreman 1.2.0 and I see it's been awhile. The interface is a bit
different.

Thanks,
JSR/

Created Bug #872: LDAP Auth Source Account Password reset - Foreman for the masked password being
set as your password.

Yea, I won't be creating a patch for what I'm doing. I had a
coworker help me and we are both not very familiar with ruby. This
simple change for us took over a day to figure out. Also, I think
a complete solution would be more complex then what works for me.

Thanks,
Jake