diff options
author | Pavel Březina <pbrezina@redhat.com> | 2017-02-28 11:47:32 +0100 |
---|---|---|
committer | Lukas Slebodnik <lslebodn@redhat.com> | 2017-03-30 19:08:00 +0200 |
commit | 720e1a5b95a953a0f1c8315bbb7c9c1edf9fb417 (patch) | |
tree | c559db1c94f83a924d78e22bd7f2d9ddacded5da /src/config | |
parent | 06744bf5a47d5971a338281c8243b11cf72dac90 (diff) | |
download | sssd-720e1a5b95a953a0f1c8315bbb7c9c1edf9fb417.tar.gz sssd-720e1a5b95a953a0f1c8315bbb7c9c1edf9fb417.tar.xz sssd-720e1a5b95a953a0f1c8315bbb7c9c1edf9fb417.zip |
secrets: allow to configure certificate check
Some users may want to use TLS with unverified peer (for example if
they use self-signed certificate) or if unverified hostname (if
certificate hostname does not match with the real hostname). On the
other side it may be useful to point to a directory containing custom
certificate authorities.
This patch add three new options to secrets responder:
verify_peer => peer's certificate must be valid
verify_host => hostnames must match
capath => path to directory containing CA certs
cacert => ca certificate
cert => client certificate
key => client private key
Resolves:
https://pagure.io/SSSD/sssd/issue/3192
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Diffstat (limited to 'src/config')
-rw-r--r-- | src/config/SSSDConfig/__init__.py.in | 6 | ||||
-rw-r--r-- | src/config/cfg_rules.ini | 6 | ||||
-rw-r--r-- | src/config/etc/sssd.api.conf | 6 |
3 files changed, 18 insertions, 0 deletions
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in index a29d51e0d..54ad722f0 100644 --- a/src/config/SSSDConfig/__init__.py.in +++ b/src/config/SSSDConfig/__init__.py.in @@ -137,6 +137,12 @@ option_strings = { 'forward_headers': _('The list of the headers to forward to the Custodia server together with the request'), 'username': _('The username to use when authenticating to a Custodia server using basic_auth'), 'password': _('The password to use when authenticating to a Custodia server using basic_auth'), + 'verify_peer': _('If true peer\'s certificate is verified if proxy_url uses https protocol'), + 'verify_host': _('If false peer\'s certificate may contain different hostname then proxy_url when https protocol is used'), + 'capath': _('Path to directory where certificate authority certificates are stored'), + 'cacert': _('Path to file containing server\'s CA certificate'), + 'cert': _('Path to file containing client\'s certificate'), + 'key': _('Path to file containing client\'s private key'), # [provider] 'id_provider' : _('Identity provider'), diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini index 1a749db75..e47ff3324 100644 --- a/src/config/cfg_rules.ini +++ b/src/config/cfg_rules.ini @@ -265,6 +265,12 @@ option = auth_header_value option = forward_headers option = username option = password +option = verify_peer +option = verify_host +option = capath +option = cacert +option = cert +option = key # KCM responder [rule/allowed_kcm_options] diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf index a1a0c2992..f86589ece 100644 --- a/src/config/etc/sssd.api.conf +++ b/src/config/etc/sssd.api.conf @@ -114,6 +114,12 @@ auth_header_value = str, None, false forward_headers = list, None, false username = str, None, false password = str, None, false +verify_peer = bool, None, false +verify_host = bool, None, false +capath = str, None, false +cacert = str, None, false +cert = str, None, false +key = str, None, false [provider] #Available provider types |