You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: doc/content/design/external-auth-ldaps.md
+19-20Lines changed: 19 additions & 20 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -91,9 +91,11 @@ Given `ldaps` default to `false`, this feature is **NOT** enabled until explicit
91
91
92
92
#### 3.1.2 Error code
93
93
Following new error codes added to indicate ldaps enable related error
94
-
- POOL_AUTH_ENABLE_FAILED_NO_CERTS, no certs can be used for ldaps, refer to 4.1.2 for certs finding.
95
-
- POOL_AUTH_ENABLE_FAILED_INVALID_CERTS, found certs, but none of the certs can be used to connect to DC
96
-
**Note**: Current error code handing infrustrucure requires the error code prefix with POOL_AUTH_ENABLE_FAILED
94
+
-`POOL_AUTH_ENABLE_FAILED_NO_TRUSTED_CERTS`: no trusted certs can be used for ldaps, refer to 4.1.2 for trusted certs finding.
95
+
-`POOL_AUTH_ENABLE_FAILED_INVALID_TRUSTED_CERTS`: found trusted certs, but none of the trusted certs can be used to connect to DC.
96
+
-`POOL_AUTH_ENABLE_FAILED_SETUP_TLS_CONNECTION`: failed to set up TLS connection to DC (e.g. GnuTLS handshake failure such as `tstream_tls_sync_setup: GNUTLS ERROR`). The error message contains the underlying details reported by winbind.
97
+
98
+
**Note**: Current error code handling infrastructure requires the error code prefix with `POOL_AUTH_ENABLE_FAILED`.
- AUTH_NO_CERTS, no certs found to enable ldaps, refer to 4.1.2 for certs finding
139
-
- AUTH_INVALID_CERTS, found certs, but none of the certs can be used to connect to DC
140
-
- AUTH_IS_DISABLED, AD is not enabled
141
-
- AUTH_SET_LDAPS_FAILED, Failed to set ldaps, the error message contains the details like ldap query on domain failed
140
+
-`AUTH_NO_TRUSTED_CERTS`: no trusted certs found to enable ldaps, refer to 4.1.2 for trusted certs finding.
141
+
-`AUTH_INVALID_TRUSTED_CERTS`: found trusted certs, but none of the trusted certs can be used to connect to DC.
142
+
-`AUTH_SETUP_TLS_CONNECTION`: failed to set up TLS CONNECTION to DC (e.g. GnuTLS handshake failure such as `tstream_tls_sync_setup: GNUTLS ERROR`). The error message contains the underlying details reported by winbind.
143
+
-`AUTH_IS_DISABLED`: AD is not enabled.
144
+
-`AUTH_SET_LDAPS_FAILED`: Failed to set ldaps, the error message contains the details like ldap query on domain failed.
142
145
143
146
#### 3.2.2 Get Pool LDAPS Status
144
147
@@ -268,10 +271,10 @@ alt precheck failed
268
271
client-->>user: precheck failed
269
272
end
270
273
271
-
Note over client,coor: sync all ldaps certs
272
-
client->>coor: pool.download_trusted_certificate
273
-
coor-->>client:
274
-
client->>join: pool.install_trusted_certificate
274
+
Note over client,coor: sync trusted CA certs from coordinator to joining host
1. Client find proper `ldaps certs` from pool coordinator as `certs_pool`
293
-
- a. find all certs `ldaps in purpose`
294
-
- b. if no LDAPS certs, find all `general` certs
295
-
2. Client find all certs in joining host as `certs_joining_host`
296
-
3. Client identify the certs needs to be synced to joining host as `certs_to_sync = certs_pool - certs_joining_host` (certs in `certs_pool`, but not in `certs_joining_host`), the certs fingerprint should be used to identify the certs
297
-
4. Client download all `certs_to_sync`, `pool.download_trusted_certificate` from coordinator
298
-
5. Client upload all certs to joining pool, `pool.install_trusted_certificate` to joining pool, with the same purpose
299
-
6. Client trigger `pool.join` again with domain username and password
300
-
7. After pool.join:
295
+
1. Client calls `pool.sync_trusted_certificates_from` to joiner host. The call will
296
+
- a. download all trusted certificates from the pool, and
297
+
- b. install the trusted certificates into the joiner host.
298
+
2. Client trigger `pool.join` again with domain username and password
299
+
3. After pool.join:
301
300
- If pool.join failed, Client call `pool.uninstall_trusted_certificate` on joining host to revert the certs
302
301
- If pool.join succeed, do nothing as pool.join would sync the certs anyway
0 commit comments