mirror of
https://git.pleroma.social/pleroma/pleroma.git
synced 2025-01-18 05:06:15 +00:00
LDAP: permit overriding the CA root
This commit is contained in:
parent
7def11d7c3
commit
5539fea3bb
5 changed files with 21 additions and 3 deletions
1
changelog.d/ldap-ca.add
Normal file
1
changelog.d/ldap-ca.add
Normal file
|
@ -0,0 +1 @@
|
||||||
|
LDAP configuration now permits overriding the CA root certificate file for TLS validation.
|
|
@ -619,7 +619,9 @@ config :pleroma, :ldap,
|
||||||
tls: System.get_env("LDAP_TLS") == "true",
|
tls: System.get_env("LDAP_TLS") == "true",
|
||||||
tlsopts: [],
|
tlsopts: [],
|
||||||
base: System.get_env("LDAP_BASE") || "dc=example,dc=com",
|
base: System.get_env("LDAP_BASE") || "dc=example,dc=com",
|
||||||
uid: System.get_env("LDAP_UID") || "cn"
|
uid: System.get_env("LDAP_UID") || "cn",
|
||||||
|
# defaults to CAStore's Mozilla roots
|
||||||
|
cacertfile: nil
|
||||||
|
|
||||||
oauth_consumer_strategies =
|
oauth_consumer_strategies =
|
||||||
System.get_env("OAUTH_CONSUMER_STRATEGIES")
|
System.get_env("OAUTH_CONSUMER_STRATEGIES")
|
||||||
|
|
|
@ -974,6 +974,7 @@ Pleroma account will be created with the same name as the LDAP user name.
|
||||||
* `tlsopts`: additional TLS options
|
* `tlsopts`: additional TLS options
|
||||||
* `base`: LDAP base, e.g. "dc=example,dc=com"
|
* `base`: LDAP base, e.g. "dc=example,dc=com"
|
||||||
* `uid`: LDAP attribute name to authenticate the user, e.g. when "cn", the filter will be "cn=username,base"
|
* `uid`: LDAP attribute name to authenticate the user, e.g. when "cn", the filter will be "cn=username,base"
|
||||||
|
* `cacertfile`: Path to alternate CA root certificates file
|
||||||
|
|
||||||
Note, if your LDAP server is an Active Directory server the correct value is commonly `uid: "cn"`, but if you use an
|
Note, if your LDAP server is an Active Directory server the correct value is commonly `uid: "cn"`, but if you use an
|
||||||
OpenLDAP server the value may be `uid: "uid"`.
|
OpenLDAP server the value may be `uid: "uid"`.
|
||||||
|
|
|
@ -42,11 +42,14 @@ defmodule Pleroma.Web.Auth.LDAPAuthenticator do
|
||||||
ssl = Keyword.get(ldap, :ssl, false)
|
ssl = Keyword.get(ldap, :ssl, false)
|
||||||
sslopts = Keyword.get(ldap, :sslopts, [])
|
sslopts = Keyword.get(ldap, :sslopts, [])
|
||||||
tlsopts = Keyword.get(ldap, :tlsopts, [])
|
tlsopts = Keyword.get(ldap, :tlsopts, [])
|
||||||
|
cacertfile = Keyword.get(ldap, :cacertfile) || CAStore.file_path()
|
||||||
|
|
||||||
options =
|
options =
|
||||||
[{:port, port}, {:ssl, ssl}, {:timeout, @connection_timeout}] ++
|
[{:port, port}, {:ssl, ssl}, {:timeout, @connection_timeout}] ++
|
||||||
if sslopts != [], do: [{:sslopts, sslopts}], else: []
|
if sslopts != [], do: [{:sslopts, sslopts}], else: []
|
||||||
|
|
||||||
|
cacerts = decode_certfile(cacertfile)
|
||||||
|
|
||||||
case :eldap.open([to_charlist(host)], options) do
|
case :eldap.open([to_charlist(host)], options) do
|
||||||
{:ok, connection} ->
|
{:ok, connection} ->
|
||||||
try do
|
try do
|
||||||
|
@ -58,7 +61,7 @@ defmodule Pleroma.Web.Auth.LDAPAuthenticator do
|
||||||
Keyword.merge(
|
Keyword.merge(
|
||||||
[
|
[
|
||||||
verify: :verify_peer,
|
verify: :verify_peer,
|
||||||
cacerts: :certifi.cacerts(),
|
cacerts: cacerts,
|
||||||
customize_hostname_check: [
|
customize_hostname_check: [
|
||||||
fqdn_fun: fn _ -> to_charlist(host) end
|
fqdn_fun: fn _ -> to_charlist(host) end
|
||||||
]
|
]
|
||||||
|
@ -147,4 +150,16 @@ defmodule Pleroma.Web.Auth.LDAPAuthenticator do
|
||||||
error -> error
|
error -> error
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
defp decode_certfile(file) do
|
||||||
|
with {:ok, data} <- File.read(file) do
|
||||||
|
data
|
||||||
|
|> :public_key.pem_decode()
|
||||||
|
|> Enum.map(fn {_, b, _} -> b end)
|
||||||
|
else
|
||||||
|
_ ->
|
||||||
|
Logger.error("Unable to read certfile: #{file}")
|
||||||
|
[]
|
||||||
|
end
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
1
mix.exs
1
mix.exs
|
@ -204,7 +204,6 @@ defmodule Pleroma.Mixfile do
|
||||||
{:oban_live_dashboard, "~> 0.1.1"},
|
{:oban_live_dashboard, "~> 0.1.1"},
|
||||||
{:multipart, "~> 0.4.0", optional: true},
|
{:multipart, "~> 0.4.0", optional: true},
|
||||||
{:argon2_elixir, "~> 4.0"},
|
{:argon2_elixir, "~> 4.0"},
|
||||||
{:certifi, "~> 2.12"},
|
|
||||||
|
|
||||||
## dev & test
|
## dev & test
|
||||||
{:phoenix_live_reload, "~> 1.3.3", only: :dev},
|
{:phoenix_live_reload, "~> 1.3.3", only: :dev},
|
||||||
|
|
Loading…
Reference in a new issue