mirror of
https://github.com/processone/ejabberd.git
synced 2024-11-22 16:20:52 +01:00
Add ldap_tls_cacertfile and ldap_tls_depth options (EJAB-1299)
This commit is contained in:
parent
0b1f3ca148
commit
8760eef677
@ -518,6 +518,8 @@ parse_options(Host) ->
|
|||||||
end,
|
end,
|
||||||
LDAPEncrypt = ejabberd_config:get_local_option({ldap_encrypt, Host}),
|
LDAPEncrypt = ejabberd_config:get_local_option({ldap_encrypt, Host}),
|
||||||
LDAPTLSVerify = ejabberd_config:get_local_option({ldap_tls_verify, Host}),
|
LDAPTLSVerify = ejabberd_config:get_local_option({ldap_tls_verify, Host}),
|
||||||
|
LDAPTLSCAFile = ejabberd_config:get_local_option({ldap_tls_cacertfile, Host}),
|
||||||
|
LDAPTLSDepth = ejabberd_config:get_local_option({ldap_tls_depth, Host}),
|
||||||
LDAPPort = case ejabberd_config:get_local_option({ldap_port, Host}) of
|
LDAPPort = case ejabberd_config:get_local_option({ldap_port, Host}) of
|
||||||
undefined -> case LDAPEncrypt of
|
undefined -> case LDAPEncrypt of
|
||||||
tls -> ?LDAPS_PORT;
|
tls -> ?LDAPS_PORT;
|
||||||
@ -565,7 +567,9 @@ parse_options(Host) ->
|
|||||||
backups = LDAPBackups,
|
backups = LDAPBackups,
|
||||||
port = LDAPPort,
|
port = LDAPPort,
|
||||||
tls_options = [{encrypt, LDAPEncrypt},
|
tls_options = [{encrypt, LDAPEncrypt},
|
||||||
{tls_verify, LDAPTLSVerify}],
|
{tls_verify, LDAPTLSVerify},
|
||||||
|
{tls_cacertfile, LDAPTLSCAFile},
|
||||||
|
{tls_depth, LDAPTLSDepth}],
|
||||||
dn = RootDN,
|
dn = RootDN,
|
||||||
password = Password,
|
password = Password,
|
||||||
base = LDAPBase,
|
base = LDAPBase,
|
||||||
|
@ -445,13 +445,28 @@ init({Hosts, Port, Rootdn, Passwd, Opts}) ->
|
|||||||
end;
|
end;
|
||||||
PT -> PT
|
PT -> PT
|
||||||
end,
|
end,
|
||||||
TLSOpts = case proplists:get_value(tls_verify, Opts) of
|
CacertOpts = case proplists:get_value(tls_cacertfile, Opts) of
|
||||||
soft ->
|
[_|_] = Path -> [{cacertfile, Path}];
|
||||||
[{verify, 1}];
|
_ -> []
|
||||||
hard ->
|
end,
|
||||||
[{verify, 2}];
|
DepthOpts = case proplists:get_value(tls_depth, Opts) of
|
||||||
_ ->
|
Depth when is_integer(Depth), Depth >= 0 ->
|
||||||
[{verify, 0}]
|
[{depth, Depth}];
|
||||||
|
_ -> []
|
||||||
|
end,
|
||||||
|
Verify = proplists:get_value(tls_verify, Opts),
|
||||||
|
TLSOpts = if (Verify == hard orelse Verify == soft)
|
||||||
|
andalso CacertOpts == [] ->
|
||||||
|
?WARNING_MSG("TLS verification is enabled "
|
||||||
|
"but no CA certfiles configured, so "
|
||||||
|
"verification is disabled.", []),
|
||||||
|
[];
|
||||||
|
Verify == soft ->
|
||||||
|
[{verify, 1}] ++ CacertOpts ++ DepthOpts;
|
||||||
|
Verify == hard ->
|
||||||
|
[{verify, 2}] ++ CacertOpts ++ DepthOpts;
|
||||||
|
true ->
|
||||||
|
[]
|
||||||
end,
|
end,
|
||||||
{ok, connecting, #eldap{hosts = Hosts,
|
{ok, connecting, #eldap{hosts = Hosts,
|
||||||
port = PortTemp,
|
port = PortTemp,
|
||||||
@ -957,18 +972,21 @@ polish([], Res, Ref) ->
|
|||||||
connect_bind(S) ->
|
connect_bind(S) ->
|
||||||
Host = next_host(S#eldap.host, S#eldap.hosts),
|
Host = next_host(S#eldap.host, S#eldap.hosts),
|
||||||
?INFO_MSG("LDAP connection on ~s:~p", [Host, S#eldap.port]),
|
?INFO_MSG("LDAP connection on ~s:~p", [Host, S#eldap.port]),
|
||||||
|
Opts = if S#eldap.tls == tls ->
|
||||||
|
[{packet, asn1}, {active, true}, {keepalive, true},
|
||||||
|
binary | S#eldap.tls_options];
|
||||||
|
true ->
|
||||||
|
[{packet, asn1}, {active, true}, {keepalive, true},
|
||||||
|
{send_timeout, ?SEND_TIMEOUT}, binary]
|
||||||
|
end,
|
||||||
SocketData = case S#eldap.tls of
|
SocketData = case S#eldap.tls of
|
||||||
tls ->
|
tls ->
|
||||||
SockMod = ssl,
|
SockMod = ssl,
|
||||||
SslOpts = [{packet, asn1}, {active, true}, {keepalive, true},
|
ssl:connect(Host, S#eldap.port, Opts);
|
||||||
binary | S#eldap.tls_options],
|
|
||||||
ssl:connect(Host, S#eldap.port, SslOpts);
|
|
||||||
%% starttls -> %% TODO: Implement STARTTLS;
|
%% starttls -> %% TODO: Implement STARTTLS;
|
||||||
_ ->
|
_ ->
|
||||||
SockMod = gen_tcp,
|
SockMod = gen_tcp,
|
||||||
TcpOpts = [{packet, asn1}, {active, true}, {keepalive, true},
|
gen_tcp:connect(Host, S#eldap.port, Opts)
|
||||||
{send_timeout, ?SEND_TIMEOUT}, binary],
|
|
||||||
gen_tcp:connect(Host, S#eldap.port, TcpOpts)
|
|
||||||
end,
|
end,
|
||||||
case SocketData of
|
case SocketData of
|
||||||
{ok, Socket} ->
|
{ok, Socket} ->
|
||||||
@ -986,8 +1004,11 @@ connect_bind(S) ->
|
|||||||
{ok, connecting, NewS#eldap{host = Host}}
|
{ok, connecting, NewS#eldap{host = Host}}
|
||||||
end;
|
end;
|
||||||
{error, Reason} ->
|
{error, Reason} ->
|
||||||
?ERROR_MSG("LDAP connection failed on ~s:~p~nReason: ~p",
|
?ERROR_MSG("LDAP connection failed:~n"
|
||||||
[Host, S#eldap.port, Reason]),
|
"** Server: ~s:~p~n"
|
||||||
|
"** Reason: ~p~n"
|
||||||
|
"** Socket options: ~p",
|
||||||
|
[Host, S#eldap.port, Reason, Opts]),
|
||||||
NewS = close_and_retry(S),
|
NewS = close_and_retry(S),
|
||||||
{ok, connecting, NewS#eldap{host = Host}}
|
{ok, connecting, NewS#eldap{host = Host}}
|
||||||
end.
|
end.
|
||||||
|
@ -495,6 +495,17 @@ parse_options(Host, Opts) ->
|
|||||||
ejabberd_config:get_local_option({ldap_tls_verify, Host});
|
ejabberd_config:get_local_option({ldap_tls_verify, Host});
|
||||||
Verify -> Verify
|
Verify -> Verify
|
||||||
end,
|
end,
|
||||||
|
LDAPTLSCAFile = case gen_mod:get_opt(ldap_tls_cacertfile, Opts, undefined) of
|
||||||
|
undefined ->
|
||||||
|
ejabberd_config:get_local_option({ldap_tls_cacertfile, Host});
|
||||||
|
CAFile -> CAFile
|
||||||
|
end,
|
||||||
|
LDAPTLSDepth = case gen_mod:get_opt(ldap_tls_depth, Opts, undefined) of
|
||||||
|
undefined ->
|
||||||
|
ejabberd_config:get_local_option({ldap_tls_depth, Host});
|
||||||
|
Depth ->
|
||||||
|
Depth
|
||||||
|
end,
|
||||||
LDAPPort = case gen_mod:get_opt(ldap_port, Opts, undefined) of
|
LDAPPort = case gen_mod:get_opt(ldap_port, Opts, undefined) of
|
||||||
undefined ->
|
undefined ->
|
||||||
case ejabberd_config:get_local_option({ldap_port, Host}) of
|
case ejabberd_config:get_local_option({ldap_port, Host}) of
|
||||||
@ -666,7 +677,9 @@ parse_options(Host, Opts) ->
|
|||||||
backups = LDAPBackups,
|
backups = LDAPBackups,
|
||||||
port = LDAPPort,
|
port = LDAPPort,
|
||||||
tls_options = [{encrypt, LDAPEncrypt},
|
tls_options = [{encrypt, LDAPEncrypt},
|
||||||
{tls_verify, LDAPTLSVerify}],
|
{tls_verify, LDAPTLSVerify},
|
||||||
|
{tls_cacertfile, LDAPTLSCAFile},
|
||||||
|
{tls_depth, LDAPTLSDepth}],
|
||||||
dn = RootDN,
|
dn = RootDN,
|
||||||
base = LDAPBase,
|
base = LDAPBase,
|
||||||
password = Password,
|
password = Password,
|
||||||
|
@ -672,6 +672,17 @@ parse_options(Host, Opts) ->
|
|||||||
ejabberd_config:get_local_option({ldap_tls_verify, Host});
|
ejabberd_config:get_local_option({ldap_tls_verify, Host});
|
||||||
Verify -> Verify
|
Verify -> Verify
|
||||||
end,
|
end,
|
||||||
|
LDAPTLSCAFile = case gen_mod:get_opt(ldap_tls_cacertfile, Opts, undefined) of
|
||||||
|
undefined ->
|
||||||
|
ejabberd_config:get_local_option({ldap_tls_cacertfile, Host});
|
||||||
|
CAFile -> CAFile
|
||||||
|
end,
|
||||||
|
LDAPTLSDepth = case gen_mod:get_opt(ldap_tls_depth, Opts, undefined) of
|
||||||
|
undefined ->
|
||||||
|
ejabberd_config:get_local_option({ldap_tls_depth, Host});
|
||||||
|
Depth ->
|
||||||
|
Depth
|
||||||
|
end,
|
||||||
LDAPPortTemp = case gen_mod:get_opt(ldap_port, Opts, undefined) of
|
LDAPPortTemp = case gen_mod:get_opt(ldap_port, Opts, undefined) of
|
||||||
undefined ->
|
undefined ->
|
||||||
ejabberd_config:get_local_option({ldap_port, Host});
|
ejabberd_config:get_local_option({ldap_port, Host});
|
||||||
@ -757,7 +768,9 @@ parse_options(Host, Opts) ->
|
|||||||
backups = LDAPBackups,
|
backups = LDAPBackups,
|
||||||
port = LDAPPort,
|
port = LDAPPort,
|
||||||
tls_options = [{encrypt, LDAPEncrypt},
|
tls_options = [{encrypt, LDAPEncrypt},
|
||||||
{tls_verify, LDAPTLSVerify}],
|
{tls_verify, LDAPTLSVerify},
|
||||||
|
{tls_cacertfile, LDAPTLSCAFile},
|
||||||
|
{tls_depth, LDAPTLSDepth}],
|
||||||
dn = RootDN,
|
dn = RootDN,
|
||||||
base = LDAPBase,
|
base = LDAPBase,
|
||||||
password = Password,
|
password = Password,
|
||||||
|
Loading…
Reference in New Issue
Block a user