LDAP: permit overriding the CA root

2024-11-13 12:31:13 +00:00 · 2024-09-14 20:03:26 -04:00 · 2024-09-14 20:03:26 -04:00 · 5539fea3bb
commit 5539fea3bb
parent 7def11d7c3
5 changed files with 21 additions and 3 deletions
--- a/changelog.d/ldap-ca.add
+++ b/changelog.d/ldap-ca.add
@ -0,0 +1 @@
+LDAP configuration now permits overriding the CA root certificate file for TLS validation.
--- a/config/config.exs
+++ b/config/config.exs
@ -619,7 +619,9 @@ config :pleroma, :ldap,
  tls: System.get_env("LDAP_TLS") == "true",
  tlsopts: [],
  base: System.get_env("LDAP_BASE") || "dc=example,dc=com",
-  uid: System.get_env("LDAP_UID") || "cn"
+  uid: System.get_env("LDAP_UID") || "cn",
+  # defaults to CAStore's Mozilla roots
+  cacertfile: nil

 oauth_consumer_strategies =
  System.get_env("OAUTH_CONSUMER_STRATEGIES")
--- a/docs/configuration/cheatsheet.md
+++ b/docs/configuration/cheatsheet.md
@ -974,6 +974,7 @@ Pleroma account will be created with the same name as the LDAP user name.
 * `tlsopts`: additional TLS options
 * `base`: LDAP base, e.g. "dc=example,dc=com"
 * `uid`: LDAP attribute name to authenticate the user, e.g. when "cn", the filter will be "cn=username,base"
+* `cacertfile`: Path to alternate CA root certificates file

 Note, if your LDAP server is an Active Directory server the correct value is commonly `uid: "cn"`, but if you use an
 OpenLDAP server the value may be `uid: "uid"`.
--- a/lib/pleroma/web/auth/ldap_authenticator.ex
+++ b/lib/pleroma/web/auth/ldap_authenticator.ex
@ -42,11 +42,14 @@ defmodule Pleroma.Web.Auth.LDAPAuthenticator do
    ssl = Keyword.get(ldap, :ssl, false)
    sslopts = Keyword.get(ldap, :sslopts, [])
    tlsopts = Keyword.get(ldap, :tlsopts, [])
+    cacertfile = Keyword.get(ldap, :cacertfile) || CAStore.file_path()

    options =
      [{:port, port}, {:ssl, ssl}, {:timeout, @connection_timeout}] ++
        if sslopts != [], do: [{:sslopts, sslopts}], else: []

+    cacerts = decode_certfile(cacertfile)
+
    case :eldap.open([to_charlist(host)], options) do
      {:ok, connection} ->
        try do
@ -58,7 +61,7 @@ defmodule Pleroma.Web.Auth.LDAPAuthenticator do
                   Keyword.merge(
                     [
                       verify: :verify_peer,
-                       cacerts: :certifi.cacerts(),
+                       cacerts: cacerts,
                       customize_hostname_check: [
                         fqdn_fun: fn _ -> to_charlist(host) end
                       ]
@ -147,4 +150,16 @@ defmodule Pleroma.Web.Auth.LDAPAuthenticator do
      error -> error
    end
  end
+
+  defp decode_certfile(file) do
+    with {:ok, data} <- File.read(file) do
+      data
+      |> :public_key.pem_decode()
+      |> Enum.map(fn {_, b, _} -> b end)
+    else
+      _ ->
+        Logger.error("Unable to read certfile: #{file}")
+        []
+    end
+  end
 end
--- a/mix.exs
+++ b/mix.exs
@ -204,7 +204,6 @@ defmodule Pleroma.Mixfile do
      {:oban_live_dashboard, "~> 0.1.1"},
      {:multipart, "~> 0.4.0", optional: true},
      {:argon2_elixir, "~> 4.0"},
-      {:certifi, "~> 2.12"},

      ## dev & test
      {:phoenix_live_reload, "~> 1.3.3", only: :dev},
				`@ -0,0 +1 @@`
				`LDAP configuration now permits overriding the CA root certificate file for TLS validation.`