Support implicit TLS connections

Update docs to clarify that the :ssl option is also for modern TLS, but the :tls option is only for STARTTLS

These options may benefit from being renamed but they match upstream terminology.
This commit is contained in:
Mark Felder 2024-09-15 13:56:16 -04:00
parent 5539fea3bb
commit af3bf8a462
3 changed files with 31 additions and 24 deletions

1
changelog.d/ldaps.fix Normal file
View file

@ -0,0 +1 @@
LDAPS connections (implicit TLS) are now supported.

View file

@ -968,9 +968,9 @@ Pleroma account will be created with the same name as the LDAP user name.
* `enabled`: enables LDAP authentication
* `host`: LDAP server hostname
* `port`: LDAP port, e.g. 389 or 636
* `ssl`: true to use SSL, usually implies the port 636
* `ssl`: true to use implicit SSL/TLS, usually port 636
* `sslopts`: additional SSL options
* `tls`: true to start TLS, usually implies the port 389
* `tls`: true to use explicit TLS (STARTTLS), usually port 389
* `tlsopts`: additional TLS options
* `base`: LDAP base, e.g. "dc=example,dc=com"
* `uid`: LDAP attribute name to authenticate the user, e.g. when "cn", the filter will be "cn=username,base"

View file

@ -40,34 +40,39 @@ defmodule Pleroma.Web.Auth.LDAPAuthenticator do
host = Keyword.get(ldap, :host, "localhost")
port = Keyword.get(ldap, :port, 389)
ssl = Keyword.get(ldap, :ssl, false)
sslopts = Keyword.get(ldap, :sslopts, [])
tlsopts = Keyword.get(ldap, :tlsopts, [])
tls = Keyword.get(ldap, :tls, false)
cacertfile = Keyword.get(ldap, :cacertfile) || CAStore.file_path()
options =
[{:port, port}, {:ssl, ssl}, {:timeout, @connection_timeout}] ++
if sslopts != [], do: [{:sslopts, sslopts}], else: []
cacerts = decode_certfile(cacertfile)
case :eldap.open([to_charlist(host)], options) do
{:ok, connection} ->
try do
if Keyword.get(ldap, :tls, false) do
:application.ensure_all_started(:ssl)
case :eldap.start_tls(
connection,
Keyword.merge(
[
default_secure_opts = [
verify: :verify_peer,
cacerts: cacerts,
cacerts: decode_certfile(cacertfile),
customize_hostname_check: [
fqdn_fun: fn _ -> to_charlist(host) end
]
],
tlsopts
),
]
sslopts = Keyword.merge(default_secure_opts, Keyword.get(ldap, :sslopts, []))
tlsopts = Keyword.merge(default_secure_opts, Keyword.get(ldap, :tlsopts, []))
# :sslopts can only be included in :eldap.open/2 when {ssl: true}
# or the connection will fail
options =
if ssl do
[{:port, port}, {:ssl, ssl}, {:sslopts, sslopts}, {:timeout, @connection_timeout}]
else
[{:port, port}, {:ssl, ssl}, {:timeout, @connection_timeout}]
end
case :eldap.open([to_charlist(host)], options) do
{:ok, connection} ->
cond do
ssl ->
:application.ensure_all_started(:ssl)
tls ->
case :eldap.start_tls(
connection,
tlsopts,
@connection_timeout
) do
:ok ->
@ -75,13 +80,14 @@ defmodule Pleroma.Web.Auth.LDAPAuthenticator do
error ->
Logger.error("Could not start TLS: #{inspect(error)}")
:eldap.close(connection)
end
true ->
:ok
end
bind_user(connection, ldap, name, password)
after
:eldap.close(connection)
end
{:error, error} ->
Logger.error("Could not open LDAP connection: #{inspect(error)}")