mirror of
https://git.pleroma.social/pleroma/pleroma.git
synced 2025-01-05 06:48:41 +00:00
Support implicit TLS connections
Update docs to clarify that the :ssl option is also for modern TLS, but the :tls option is only for STARTTLS These options may benefit from being renamed but they match upstream terminology.
This commit is contained in:
parent
5539fea3bb
commit
af3bf8a462
3 changed files with 31 additions and 24 deletions
1
changelog.d/ldaps.fix
Normal file
1
changelog.d/ldaps.fix
Normal file
|
@ -0,0 +1 @@
|
||||||
|
LDAPS connections (implicit TLS) are now supported.
|
|
@ -968,9 +968,9 @@ Pleroma account will be created with the same name as the LDAP user name.
|
||||||
* `enabled`: enables LDAP authentication
|
* `enabled`: enables LDAP authentication
|
||||||
* `host`: LDAP server hostname
|
* `host`: LDAP server hostname
|
||||||
* `port`: LDAP port, e.g. 389 or 636
|
* `port`: LDAP port, e.g. 389 or 636
|
||||||
* `ssl`: true to use SSL, usually implies the port 636
|
* `ssl`: true to use implicit SSL/TLS, usually port 636
|
||||||
* `sslopts`: additional SSL options
|
* `sslopts`: additional SSL options
|
||||||
* `tls`: true to start TLS, usually implies the port 389
|
* `tls`: true to use explicit TLS (STARTTLS), usually port 389
|
||||||
* `tlsopts`: additional TLS options
|
* `tlsopts`: additional TLS options
|
||||||
* `base`: LDAP base, e.g. "dc=example,dc=com"
|
* `base`: LDAP base, e.g. "dc=example,dc=com"
|
||||||
* `uid`: LDAP attribute name to authenticate the user, e.g. when "cn", the filter will be "cn=username,base"
|
* `uid`: LDAP attribute name to authenticate the user, e.g. when "cn", the filter will be "cn=username,base"
|
||||||
|
|
|
@ -40,34 +40,39 @@ defmodule Pleroma.Web.Auth.LDAPAuthenticator do
|
||||||
host = Keyword.get(ldap, :host, "localhost")
|
host = Keyword.get(ldap, :host, "localhost")
|
||||||
port = Keyword.get(ldap, :port, 389)
|
port = Keyword.get(ldap, :port, 389)
|
||||||
ssl = Keyword.get(ldap, :ssl, false)
|
ssl = Keyword.get(ldap, :ssl, false)
|
||||||
sslopts = Keyword.get(ldap, :sslopts, [])
|
tls = Keyword.get(ldap, :tls, false)
|
||||||
tlsopts = Keyword.get(ldap, :tlsopts, [])
|
|
||||||
cacertfile = Keyword.get(ldap, :cacertfile) || CAStore.file_path()
|
cacertfile = Keyword.get(ldap, :cacertfile) || CAStore.file_path()
|
||||||
|
|
||||||
options =
|
default_secure_opts = [
|
||||||
[{:port, port}, {:ssl, ssl}, {:timeout, @connection_timeout}] ++
|
|
||||||
if sslopts != [], do: [{:sslopts, sslopts}], else: []
|
|
||||||
|
|
||||||
cacerts = decode_certfile(cacertfile)
|
|
||||||
|
|
||||||
case :eldap.open([to_charlist(host)], options) do
|
|
||||||
{:ok, connection} ->
|
|
||||||
try do
|
|
||||||
if Keyword.get(ldap, :tls, false) do
|
|
||||||
:application.ensure_all_started(:ssl)
|
|
||||||
|
|
||||||
case :eldap.start_tls(
|
|
||||||
connection,
|
|
||||||
Keyword.merge(
|
|
||||||
[
|
|
||||||
verify: :verify_peer,
|
verify: :verify_peer,
|
||||||
cacerts: cacerts,
|
cacerts: decode_certfile(cacertfile),
|
||||||
customize_hostname_check: [
|
customize_hostname_check: [
|
||||||
fqdn_fun: fn _ -> to_charlist(host) end
|
fqdn_fun: fn _ -> to_charlist(host) end
|
||||||
]
|
]
|
||||||
],
|
]
|
||||||
tlsopts
|
|
||||||
),
|
sslopts = Keyword.merge(default_secure_opts, Keyword.get(ldap, :sslopts, []))
|
||||||
|
tlsopts = Keyword.merge(default_secure_opts, Keyword.get(ldap, :tlsopts, []))
|
||||||
|
|
||||||
|
# :sslopts can only be included in :eldap.open/2 when {ssl: true}
|
||||||
|
# or the connection will fail
|
||||||
|
options =
|
||||||
|
if ssl do
|
||||||
|
[{:port, port}, {:ssl, ssl}, {:sslopts, sslopts}, {:timeout, @connection_timeout}]
|
||||||
|
else
|
||||||
|
[{:port, port}, {:ssl, ssl}, {:timeout, @connection_timeout}]
|
||||||
|
end
|
||||||
|
|
||||||
|
case :eldap.open([to_charlist(host)], options) do
|
||||||
|
{:ok, connection} ->
|
||||||
|
cond do
|
||||||
|
ssl ->
|
||||||
|
:application.ensure_all_started(:ssl)
|
||||||
|
|
||||||
|
tls ->
|
||||||
|
case :eldap.start_tls(
|
||||||
|
connection,
|
||||||
|
tlsopts,
|
||||||
@connection_timeout
|
@connection_timeout
|
||||||
) do
|
) do
|
||||||
:ok ->
|
:ok ->
|
||||||
|
@ -75,13 +80,14 @@ defmodule Pleroma.Web.Auth.LDAPAuthenticator do
|
||||||
|
|
||||||
error ->
|
error ->
|
||||||
Logger.error("Could not start TLS: #{inspect(error)}")
|
Logger.error("Could not start TLS: #{inspect(error)}")
|
||||||
|
:eldap.close(connection)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
true ->
|
||||||
|
:ok
|
||||||
end
|
end
|
||||||
|
|
||||||
bind_user(connection, ldap, name, password)
|
bind_user(connection, ldap, name, password)
|
||||||
after
|
|
||||||
:eldap.close(connection)
|
|
||||||
end
|
|
||||||
|
|
||||||
{:error, error} ->
|
{:error, error} ->
|
||||||
Logger.error("Could not open LDAP connection: #{inspect(error)}")
|
Logger.error("Could not open LDAP connection: #{inspect(error)}")
|
||||||
|
|
Loading…
Reference in a new issue