Support TLS parameters for ldaps URIs

doc/sources/admin/authldap.rst

@@ -74,12 +74,12 @@ Connection
 
    -  More than one server can be set here separated by spaces or
       commas. They will be tested in the specified order.
-   -  To use TLS, set ``ldap+tls://server`` and to use LDAPS, set
+   -  To use StartTLS, set ``ldap+tls://server`` and to use LDAPS, set
       ``ldaps://server`` instead of server name.
-   -  If you use TLS, you can set any of the
+   -  If you use StartTLS or LDAPS, you can set any of the
       `Net::LDAP <http://search.cpan.org/~gbarr/perl-ldap/lib/Net/LDAP.pod>`__
-      start_tls() sub like
-      ``ldap+tls://server/verify=none&capath=/etc/ssl``. You can
+      start_tls() options in the URL, such as ``ldap+tls://server/verify=none``
+      or ``ldaps://server/cafile=/etc/ssl/ca.pem&sslversion=tlsv1_2``. You can
       also use cafile and capath parameters.
 
 -  **Server port**: TCP port used by LDAP server if different from the standard

lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/Net/LDAP.pm

@@ -24,32 +24,38 @@ sub new {
     my $portal = $args->{p}    or die "$class : p argument required !";
     my $conf   = $args->{conf} or die "$class : conf argument required !";
     my $self;
-    my $useTls = 0;
-    my $tlsParam;
+    my $useStartTls = 0;
+    my %tlsParams;
     my @servers = ();
     foreach my $server ( split /[\s,]+/, $conf->{ldapServer} ) {
 
         if ( $server =~ m{^ldap\+tls://([^/]+)/?\??(.*)$} ) {
-            $useTls   = 1;
-            $server   = $1;
-            $tlsParam = $2 || "";
+            $useStartTls = 1;
+            $server      = $1;
+            %tlsParams   = split( /[&=]/, $2 || "" );
+        }
+        elsif ( $server =~ m{^(ldaps://[^/]+)/?\??(.*)$} ) {
+            $useStartTls = 0;
+            $server      = $1;
+            %tlsParams   = split( /[&=]/, $2 || "" );
         }
         else {
-            $useTls = 0;
+            $useStartTls = 0;
         }
         push @servers, $server;
     }
+    $tlsParams{cafile} ||= $conf->{ldapCAFile} if ( $conf->{ldapCAFile} );
+    $tlsParams{capath} ||= $conf->{ldapCAPath} if ( $conf->{ldapCAPath} );
+    $tlsParams{verify} ||= $conf->{ldapVerify} if ( $conf->{ldapVerify} );
     $self = Net::LDAP->new(
         \@servers,
         onerror   => undef,
         keepalive => 1,
+        %tlsParams,
         ( $conf->{ldapPort}    ? ( port    => $conf->{ldapPort} )    : () ),
         ( $conf->{ldapTimeout} ? ( timeout => $conf->{ldapTimeout} ) : () ),
         ( $conf->{ldapVersion} ? ( version => $conf->{ldapVersion} ) : () ),
         ( $conf->{ldapRaw}     ? ( raw     => $conf->{ldapRaw} )     : () ),
-        ( $conf->{ldapCAFile}  ? ( cafile  => $conf->{ldapCAFile} )  : () ),
-        ( $conf->{ldapCAPath}  ? ( capath  => $conf->{ldapCAPath} )  : () ),
-        ( $conf->{ldapVerify}  ? ( verify  => $conf->{ldapVerify} )  : () ),
     );
     unless ($self) {
         $portal->logger->error( "LDAP initialization error: " . $@ );
@@ -77,12 +83,8 @@ sub new {
     $socket->read_timeout( $conf->{ldapIOTimeout} );
     $socket->write_timeout( $conf->{ldapIOTimeout} );
 
-    if ($useTls) {
-        my %h = split( /[&=]/, $tlsParam );
-        $h{cafile} ||= $conf->{ldapCAFile} if ( $conf->{ldapCAFile} );
-        $h{capath} ||= $conf->{ldapCAPath} if ( $conf->{ldapCAPath} );
-        $h{verify} ||= $conf->{ldapVerify} if ( $conf->{ldapVerify} );
-        my $mesg = $self->start_tls(%h);
+    if ($useStartTls) {
+        my $mesg = $self->start_tls(%tlsParams);
         if ( $mesg->code ) {
             $portal->logger->error( 'LDAP StartTLS failed: ' . $mesg->error );
             return 0;