Merge branch 'feature/v2.0/support-ldap-uris' into 'v2.0'

Support TLS parameters for ldaps URIs See merge request lemonldap-ng/lemonldap-ng!256
2022-05-23 08:52:01 +00:00 · 2022-05-23 08:52:01 +00:00 · 3a82e3af7b
parent d832263129 91bf5323a5
commit 3a82e3af7b
2 changed files with 21 additions and 19 deletions
--- a/doc/sources/admin/authldap.rst
+++ b/doc/sources/admin/authldap.rst
@ -74,12 +74,12 @@ Connection

   -  More than one server can be set here separated by spaces or
      commas. They will be tested in the specified order.
-   -  To use TLS, set ``ldap+tls://server`` and to use LDAPS, set
+   -  To use StartTLS, set ``ldap+tls://server`` and to use LDAPS, set
      ``ldaps://server`` instead of server name.
-   -  If you use TLS, you can set any of the
+   -  If you use StartTLS or LDAPS, you can set any of the
      `Net::LDAP <http://search.cpan.org/~gbarr/perl-ldap/lib/Net/LDAP.pod>`__
-      start_tls() sub like
-      ``ldap+tls://server/verify=none&capath=/etc/ssl``. You can
+      start_tls() options in the URL, such as ``ldap+tls://server/verify=none``
+      or ``ldaps://server/cafile=/etc/ssl/ca.pem&sslversion=tlsv1_2``. You can
      also use cafile and capath parameters.

 -  **Server port**: TCP port used by LDAP server if different from the standard
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/Net/LDAP.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/Net/LDAP.pm
@ -24,32 +24,38 @@ sub new {
    my $portal = $args->{p}    or die "$class : p argument required !";
    my $conf   = $args->{conf} or die "$class : conf argument required !";
    my $self;
-    my $useTls = 0;
-    my $tlsParam;
+    my $useStartTls = 0;
+    my %tlsParams;
    my @servers = ();
    foreach my $server ( split /[\s,]+/, $conf->{ldapServer} ) {

        if ( $server =~ m{^ldap\+tls://([^/]+)/?\??(.*)$} ) {
-            $useTls   = 1;
-            $server   = $1;
-            $tlsParam = $2 || "";
+            $useStartTls = 1;
+            $server      = $1;
+            %tlsParams   = split( /[&=]/, $2 || "" );
+        }
+        elsif ( $server =~ m{^(ldaps://[^/]+)/?\??(.*)$} ) {
+            $useStartTls = 0;
+            $server      = $1;
+            %tlsParams   = split( /[&=]/, $2 || "" );
        }
        else {
-            $useTls = 0;
+            $useStartTls = 0;
        }
        push @servers, $server;
    }
+    $tlsParams{cafile} ||= $conf->{ldapCAFile} if ( $conf->{ldapCAFile} );
+    $tlsParams{capath} ||= $conf->{ldapCAPath} if ( $conf->{ldapCAPath} );
+    $tlsParams{verify} ||= $conf->{ldapVerify} if ( $conf->{ldapVerify} );
    $self = Net::LDAP->new(
        \@servers,
        onerror   => undef,
        keepalive => 1,
+        %tlsParams,
        ( $conf->{ldapPort}    ? ( port    => $conf->{ldapPort} )    : () ),
        ( $conf->{ldapTimeout} ? ( timeout => $conf->{ldapTimeout} ) : () ),
        ( $conf->{ldapVersion} ? ( version => $conf->{ldapVersion} ) : () ),
        ( $conf->{ldapRaw}     ? ( raw     => $conf->{ldapRaw} )     : () ),
-        ( $conf->{ldapCAFile}  ? ( cafile  => $conf->{ldapCAFile} )  : () ),
-        ( $conf->{ldapCAPath}  ? ( capath  => $conf->{ldapCAPath} )  : () ),
-        ( $conf->{ldapVerify}  ? ( verify  => $conf->{ldapVerify} )  : () ),
    );
    unless ($self) {
        $portal->logger->error( "LDAP initialization error: " . $@ );
@ -77,12 +83,8 @@ sub new {
    $socket->read_timeout( $conf->{ldapIOTimeout} );
    $socket->write_timeout( $conf->{ldapIOTimeout} );

-    if ($useTls) {
-        my %h = split( /[&=]/, $tlsParam );
-        $h{cafile} ||= $conf->{ldapCAFile} if ( $conf->{ldapCAFile} );
-        $h{capath} ||= $conf->{ldapCAPath} if ( $conf->{ldapCAPath} );
-        $h{verify} ||= $conf->{ldapVerify} if ( $conf->{ldapVerify} );
-        my $mesg = $self->start_tls(%h);
+    if ($useStartTls) {
+        my $mesg = $self->start_tls(%tlsParams);
        if ( $mesg->code ) {
            $portal->logger->error( 'LDAP StartTLS failed: ' . $mesg->error );
            return 0;