From 91bf5323a5a58acc808ece1b069c759603ca45ae Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Eero=20H=C3=A4kkinen?= Date: Mon, 7 Mar 2022 23:53:14 +0200 Subject: [PATCH] Support TLS parameters for ldaps URIs --- doc/sources/admin/authldap.rst | 8 ++--- .../lib/Lemonldap/NG/Portal/Lib/Net/LDAP.pm | 32 ++++++++++--------- 2 files changed, 21 insertions(+), 19 deletions(-) diff --git a/doc/sources/admin/authldap.rst b/doc/sources/admin/authldap.rst index 251a65294..7837773a2 100644 --- a/doc/sources/admin/authldap.rst +++ b/doc/sources/admin/authldap.rst @@ -74,12 +74,12 @@ Connection - More than one server can be set here separated by spaces or commas. They will be tested in the specified order. - - To use TLS, set ``ldap+tls://server`` and to use LDAPS, set + - To use StartTLS, set ``ldap+tls://server`` and to use LDAPS, set ``ldaps://server`` instead of server name. - - If you use TLS, you can set any of the + - If you use StartTLS or LDAPS, you can set any of the `Net::LDAP `__ - start_tls() sub like - ``ldap+tls://server/verify=none&capath=/etc/ssl``. You can + start_tls() options in the URL, such as ``ldap+tls://server/verify=none`` + or ``ldaps://server/cafile=/etc/ssl/ca.pem&sslversion=tlsv1_2``. You can also use cafile and capath parameters. - **Server port**: TCP port used by LDAP server if different from the standard diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/Net/LDAP.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/Net/LDAP.pm index 0233cf78e..4240c7866 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/Net/LDAP.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/Net/LDAP.pm @@ -24,32 +24,38 @@ sub new { my $portal = $args->{p} or die "$class : p argument required !"; my $conf = $args->{conf} or die "$class : conf argument required !"; my $self; - my $useTls = 0; - my $tlsParam; + my $useStartTls = 0; + my %tlsParams; my @servers = (); foreach my $server ( split /[\s,]+/, $conf->{ldapServer} ) { if ( $server =~ m{^ldap\+tls://([^/]+)/?\??(.*)$} ) { - $useTls = 1; - $server = $1; - $tlsParam = $2 || ""; + $useStartTls = 1; + $server = $1; + %tlsParams = split( /[&=]/, $2 || "" ); + } + elsif ( $server =~ m{^(ldaps://[^/]+)/?\??(.*)$} ) { + $useStartTls = 0; + $server = $1; + %tlsParams = split( /[&=]/, $2 || "" ); } else { - $useTls = 0; + $useStartTls = 0; } push @servers, $server; } + $tlsParams{cafile} ||= $conf->{ldapCAFile} if ( $conf->{ldapCAFile} ); + $tlsParams{capath} ||= $conf->{ldapCAPath} if ( $conf->{ldapCAPath} ); + $tlsParams{verify} ||= $conf->{ldapVerify} if ( $conf->{ldapVerify} ); $self = Net::LDAP->new( \@servers, onerror => undef, keepalive => 1, + %tlsParams, ( $conf->{ldapPort} ? ( port => $conf->{ldapPort} ) : () ), ( $conf->{ldapTimeout} ? ( timeout => $conf->{ldapTimeout} ) : () ), ( $conf->{ldapVersion} ? ( version => $conf->{ldapVersion} ) : () ), ( $conf->{ldapRaw} ? ( raw => $conf->{ldapRaw} ) : () ), - ( $conf->{ldapCAFile} ? ( cafile => $conf->{ldapCAFile} ) : () ), - ( $conf->{ldapCAPath} ? ( capath => $conf->{ldapCAPath} ) : () ), - ( $conf->{ldapVerify} ? ( verify => $conf->{ldapVerify} ) : () ), ); unless ($self) { $portal->logger->error( "LDAP initialization error: " . $@ ); @@ -77,12 +83,8 @@ sub new { $socket->read_timeout( $conf->{ldapIOTimeout} ); $socket->write_timeout( $conf->{ldapIOTimeout} ); - if ($useTls) { - my %h = split( /[&=]/, $tlsParam ); - $h{cafile} ||= $conf->{ldapCAFile} if ( $conf->{ldapCAFile} ); - $h{capath} ||= $conf->{ldapCAPath} if ( $conf->{ldapCAPath} ); - $h{verify} ||= $conf->{ldapVerify} if ( $conf->{ldapVerify} ); - my $mesg = $self->start_tls(%h); + if ($useStartTls) { + my $mesg = $self->start_tls(%tlsParams); if ( $mesg->code ) { $portal->logger->error( 'LDAP StartTLS failed: ' . $mesg->error ); return 0;