[arvados] updated: 2.5.0-5-g7432df3ab

git repository hosting git at public.arvados.org
Tue Jan 17 16:36:08 UTC 2023 

Summary of changes:
 lib/config/config.default.yml        | 8 ++++++--
 lib/controller/localdb/login_ldap.go | 2 +-
 2 files changed, 7 insertions(+), 3 deletions(-)

       via  7432df3ab18b66c2a5dac1f18c9e8b1d7a388558 (commit)
       via  064df2d66faf61f475813863e5c29ca07ad9555a (commit)
      from  37710c707e0f7b0a57a836ff8cc42dd0c5f762ff (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.


commit 7432df3ab18b66c2a5dac1f18c9e8b1d7a388558
Author: Tom Clegg <tom at curii.com>
Date:   Tue Jan 17 11:35:29 2023 -0500

    19896: Mention TLS version error message in config doc.
    
    Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tom at curii.com>

diff --git a/lib/config/config.default.yml b/lib/config/config.default.yml
index 3ca137e9c..6159a455b 100644
--- a/lib/config/config.default.yml
+++ b/lib/config/config.default.yml
@@ -805,8 +805,12 @@ Clusters:
 
         # Mininum TLS version to negotiate when connecting to server
         # (ldaps://... or StartTLS). It may be necessary to set this
-        # to "1.1" for compatibility with older LDAP servers. If
-        # blank, use the recommended minimum version (1.2).
+        # to "1.1" for compatibility with older LDAP servers that fail
+        # with 'LDAP Result Code 200 "Network Error": TLS handshake
+        # failed (tls: server selected unsupported protocol version
+        # 301)'.
+        #
+        # If blank, use the recommended minimum version (1.2).
         MinTLSVersion: ""
 
         # Strip the @domain part if a user supplies an email-style

commit 064df2d66faf61f475813863e5c29ca07ad9555a
Author: Tom Clegg <tom at curii.com>
Date:   Tue Jan 17 11:27:37 2023 -0500

    19896: Use StartTLS + MinTLSVersion regardless of Insecure flag.
    
    Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tom at curii.com>

diff --git a/lib/controller/localdb/login_ldap.go b/lib/controller/localdb/login_ldap.go
index f8fe9084d..df3982c85 100644
--- a/lib/controller/localdb/login_ldap.go
+++ b/lib/controller/localdb/login_ldap.go
@@ -74,9 +74,9 @@ func (ctrl *ldapLoginController) UserAuthenticate(ctx context.Context, opts arva
 
 	if conf.StartTLS {
 		var tlsconfig tls.Config
+		tlsconfig.MinVersion = uint16(conf.MinTLSVersion)
 		if conf.InsecureTLS {
 			tlsconfig.InsecureSkipVerify = true
-			tlsconfig.MinVersion = uint16(conf.MinTLSVersion)
 		} else {
 			if host, _, err := net.SplitHostPort(conf.URL.Host); err != nil {
 				// Assume SplitHostPort error means

-----------------------------------------------------------------------


hooks/post-receive
--

More information about the arvados-commits mailing list