Details
Major Description
For some reason, if we use an ldaps URI like "ldaps://ldap.test.com:636" and leave "ldap_cert" empty, I would expect that using the certs in /etc/openldap/cacerts, Hue would be able to connect to ldap. However, it fails with an error message akin to:
Unable to connect: TLS error -8172
I don't have the exact error message, but I will work on it. It appears to be using TLS even when "ldap_cert" is not set and this is causing the failure. I can see in the Hue code that we set TLS Require Cert = Never:
- Certificate-related config settings
if desktop.conf.LDAP.LDAP_CERT.get():
ldap_settings.AUTH_LDAP_START_TLS = True
ldap_settings.AUTH_LDAP_GLOBAL_OPTIONS[ldap.OPT_X_TLS_CACERTFILE] = desktop.conf.LDAP.LDAP_CERT.get()
else:
ldap_settings.AUTH_LDAP_START_TLS = False
ldap_settings.AUTH_LDAP_GLOBAL_OPTIONS[ldap.OPT_X_TLS_REQUIRE_CERT] = ldap.OPT_X_TLS_NEVER
However, the only way to fix the above issue was to edit the /etc/openldap/ldap.conf and add:
TLS_REQCERT = never
Then restart Hue. Not sure why the above TLS_NEVER setting isn't working, but it does not seem to be stopping Hue from using TLS. This was on Redhat 6.2 and Hue 2.3.