Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ldap traffic is unencrypted between haproxy and container host #523

Open
baszoetekouw opened this issue Jun 10, 2024 · 6 comments
Open

ldap traffic is unencrypted between haproxy and container host #523

baszoetekouw opened this issue Jun 10, 2024 · 6 comments
Assignees
@mrvanes
Labels
test2

Comments

@baszoetekouw
Copy link
Member

Currently the ldap container exposes a plain text port 389 to the outside. This means that all traffic between the haproxy and ldap container is plain text, which we don't want.

There are two solutions:

  1. (preferrred) loop the ldap traffic also through Traefik; according to @quartje it is also able to handle plain TCP traffic and should be able to do TLS termination. This is the preferred solution, because it allows us to treat all containers and traffic (HTTP and TCP) identical, and we don't have to expose the ldap container port on the Docker host at all.
  2. let slapd handle the TLS termination and expose an ldaps-port on the container host. In that case, make sure we expose a non-standard port (e.g., 1636 instead of 636).
@baszoetekouw baszoetekouw moved this from New to Todo in SRAM development Jun 10, 2024
@mrvanes
Copy link
Contributor

mrvanes commented Jun 10, 2024

No, LDAP traffic flow through traefik and traefik connects to 389 on the container host. Let's discuss when I'm back.

@mrvanes mrvanes moved this from Todo to In progress in SRAM development Jun 17, 2024
@mrvanes
Copy link
Contributor

mrvanes commented Jul 5, 2024

SURFConext test docker host needs extra config:

entryPoints:
  ldaps:
    address: ":636"

@mrvanes
Copy link
Contributor

mrvanes commented Aug 26, 2024

Enige uitstaande actie is de LDAP ACL configuratie op de loadbalancer (?) vanuit de SBS config.

@logan-life
Copy link

Needful config has been completed, needs another set of eyes to look at seeing if it works. Can the dirs on test2 be accessed via LDAP-S.

@baszoetekouw
Copy link
Member Author

merged and deployed. Waiting for acl change in https://jira.ia.surf.nl/servicedesk/customer/portal/1/ISSD-28458

@baszoetekouw baszoetekouw removed their assignment Sep 3, 2024
@logan-life
Copy link

ACL change ticket marked as Done

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mrvanes mrvanes

Labels
test2
Projects
SRAM development
Status: To be tested
Milestone
No milestone
Development

No branches or pull requests
3 participants
@baszoetekouw @mrvanes @logan-life