Does LDAPS work during iPXE menu login?
-
I have LDAP configured properly for logging into the FOG UI as well as authentication during the IPXE menu login. I’m trying to add security layers to the FOG server and environment. I ran wireshark to see how FOG sends LDAP credentials, and it appears to send them clear text over HTTP. If I use LDAPS, will FOG still send those clear credentials via HTTP or will it be secure?
-
@brakcounty The code support switching to ldaps by adjusting the port number, I suspect that bit won’t work as advertised. I don’t think that element was ever tested. The reason why I say that is to make it work it needs an LDAP certificate installed.
-
@george1421 So the alternative would be to use SSL and embed the cert into the ipxe kernel right? I saw a post about this topic and a post pointed to this link https://wiki.fogproject.org/wiki/index.php?title=Upgrade_to_trunk about the latest build already has SSL set up? I’d just have to run installfog.sh -s and HTTPS would be working for the web gui as well as ipxe?
-
@brakcounty said in Does LDAPS work during iPXE menu login?:
and HTTPS would be working for the web gui as well as ipxe?
That would minimize the risk of clear text being browsable when interacting with the web interface, but not LDAP. That is its own critter.
-
@george1421 I ran wireshark while pxe booting fog and logging in to the ipxe menu, saw that the creds were sent via HTTP, not LDAP. So I should upgrade to the latest trunk using the -s switch and all will be SSL? I’d still have to compile the ipxe kernel with a cert or is that done during setup?
-
@brakcounty said in Does LDAPS work during iPXE menu login?:
I’d still have to compile the ipxe kernel with a cert or is that done during setup?
The FOG installer does this for you.
-
@sebastian-roth Game changer! Thanks! I’m testing the dev-branch install right now on a vm.
-
@sebastian-roth One more question (I hope this is the last one) if I want to set up a trust between my prod environment and the cert that FOG is using, where can I find the FOG cert on the file system?
-
@brakcounty According to the installer code, it’s in
$sslpath/CA/*. It also appears in your/opt/fog/.fogsettingsfile, undersslpath=.By default, the installer drops it all into
/opt/fog/snapins/ssl(lib/common/functions.sh L#1879) -
@george1421 said in Does LDAPS work during iPXE menu login?: mcdvoice
@brakcounty The code support switching to ldaps by adjusting the port number, I suspect that bit won’t work as advertised. I don’t think that element was ever tested. The reason why I say that is to make it work it needs an LDAP certificate installed.
Good one. Thanks for sharing a nice piece of info.