Commit 91bf5323 authored by Eero Häkkinen's avatar Eero Häkkinen
Browse files

Support TLS parameters for ldaps URIs

parent 0e891d7d
Pipeline #21186 passed with stage
in 10 minutes and 36 seconds
......@@ -74,12 +74,12 @@ Connection
- More than one server can be set here separated by spaces or
commas. They will be tested in the specified order.
- To use TLS, set ``ldap+tls://server`` and to use LDAPS, set
- To use StartTLS, set ``ldap+tls://server`` and to use LDAPS, set
``ldaps://server`` instead of server name.
- If you use TLS, you can set any of the
- If you use StartTLS or LDAPS, you can set any of the
`Net::LDAP <http://search.cpan.org/~gbarr/perl-ldap/lib/Net/LDAP.pod>`__
start_tls() sub like
``ldap+tls://server/verify=none&capath=/etc/ssl``. You can
start_tls() options in the URL, such as ``ldap+tls://server/verify=none``
or ``ldaps://server/cafile=/etc/ssl/ca.pem&sslversion=tlsv1_2``. You can
also use cafile and capath parameters.
- **Server port**: TCP port used by LDAP server if different from the standard
......
......@@ -24,32 +24,38 @@ sub new {
my $portal = $args->{p} or die "$class : p argument required !";
my $conf = $args->{conf} or die "$class : conf argument required !";
my $self;
my $useTls = 0;
my $tlsParam;
my $useStartTls = 0;
my %tlsParams;
my @servers = ();
foreach my $server ( split /[\s,]+/, $conf->{ldapServer} ) {
if ( $server =~ m{^ldap\+tls://([^/]+)/?\??(.*)$} ) {
$useTls = 1;
$server = $1;
$tlsParam = $2 || "";
$useStartTls = 1;
$server = $1;
%tlsParams = split( /[&=]/, $2 || "" );
}
elsif ( $server =~ m{^(ldaps://[^/]+)/?\??(.*)$} ) {
$useStartTls = 0;
$server = $1;
%tlsParams = split( /[&=]/, $2 || "" );
}
else {
$useTls = 0;
$useStartTls = 0;
}
push @servers, $server;
}
$tlsParams{cafile} ||= $conf->{ldapCAFile} if ( $conf->{ldapCAFile} );
$tlsParams{capath} ||= $conf->{ldapCAPath} if ( $conf->{ldapCAPath} );
$tlsParams{verify} ||= $conf->{ldapVerify} if ( $conf->{ldapVerify} );
$self = Net::LDAP->new(
\@servers,
onerror => undef,
keepalive => 1,
%tlsParams,
( $conf->{ldapPort} ? ( port => $conf->{ldapPort} ) : () ),
( $conf->{ldapTimeout} ? ( timeout => $conf->{ldapTimeout} ) : () ),
( $conf->{ldapVersion} ? ( version => $conf->{ldapVersion} ) : () ),
( $conf->{ldapRaw} ? ( raw => $conf->{ldapRaw} ) : () ),
( $conf->{ldapCAFile} ? ( cafile => $conf->{ldapCAFile} ) : () ),
( $conf->{ldapCAPath} ? ( capath => $conf->{ldapCAPath} ) : () ),
( $conf->{ldapVerify} ? ( verify => $conf->{ldapVerify} ) : () ),
);
unless ($self) {
$portal->logger->error( "LDAP initialization error: " . $@ );
......@@ -77,12 +83,8 @@ sub new {
$socket->read_timeout( $conf->{ldapIOTimeout} );
$socket->write_timeout( $conf->{ldapIOTimeout} );
if ($useTls) {
my %h = split( /[&=]/, $tlsParam );
$h{cafile} ||= $conf->{ldapCAFile} if ( $conf->{ldapCAFile} );
$h{capath} ||= $conf->{ldapCAPath} if ( $conf->{ldapCAPath} );
$h{verify} ||= $conf->{ldapVerify} if ( $conf->{ldapVerify} );
my $mesg = $self->start_tls(%h);
if ($useStartTls) {
my $mesg = $self->start_tls(%tlsParams);
if ( $mesg->code ) {
$portal->logger->error( 'LDAP StartTLS failed: ' . $mesg->error );
return 0;
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment