LDAP Auth: fix TLS certificate verification

Currently we only support STARTTLS and it was not verifying certificate and hostname correctly. We must pass a custom fqdn_fun/1 function so it knows what value to compare against.
2024-11-11 11:31:32 +00:00 · 2024-09-11 12:45:33 -04:00 · 2024-09-11 12:45:33 -04:00 · 7def11d7c3
commit 7def11d7c3
parent 20e82c7456
3 changed files with 13 additions and 1 deletions
--- a/changelog.d/ldap-tls.fix
+++ b/changelog.d/ldap-tls.fix
@ -0,0 +1 @@
+STARTTLS certificate and hostname verification for LDAP authentication
--- a/lib/pleroma/web/auth/ldap_authenticator.ex
+++ b/lib/pleroma/web/auth/ldap_authenticator.ex
@ -41,6 +41,7 @@ defmodule Pleroma.Web.Auth.LDAPAuthenticator do
    port = Keyword.get(ldap, :port, 389)
    ssl = Keyword.get(ldap, :ssl, false)
    sslopts = Keyword.get(ldap, :sslopts, [])
+    tlsopts = Keyword.get(ldap, :tlsopts, [])

    options =
      [{:port, port}, {:ssl, ssl}, {:timeout, @connection_timeout}] ++
@ -54,7 +55,16 @@ defmodule Pleroma.Web.Auth.LDAPAuthenticator do

            case :eldap.start_tls(
                   connection,
-                   Keyword.get(ldap, :tlsopts, []),
+                   Keyword.merge(
+                     [
+                       verify: :verify_peer,
+                       cacerts: :certifi.cacerts(),
+                       customize_hostname_check: [
+                         fqdn_fun: fn _ -> to_charlist(host) end
+                       ]
+                     ],
+                     tlsopts
+                   ),
                   @connection_timeout
                 ) do
              :ok ->
--- a/mix.exs
+++ b/mix.exs
@ -204,6 +204,7 @@ defmodule Pleroma.Mixfile do
      {:oban_live_dashboard, "~> 0.1.1"},
      {:multipart, "~> 0.4.0", optional: true},
      {:argon2_elixir, "~> 4.0"},
+      {:certifi, "~> 2.12"},

      ## dev & test
      {:phoenix_live_reload, "~> 1.3.3", only: :dev},
				`@ -0,0 +1 @@`
				`STARTTLS certificate and hostname verification for LDAP authentication`