25
1
mirror of https://github.com/processone/ejabberd.git synced 2024-11-26 16:26:24 +01:00

Add ldap_tls_cacertfile and ldap_tls_depth options (EJAB-1299)

This commit is contained in:
Evgeniy Khramtsov 2011-07-13 15:40:27 +10:00
parent 0b1f3ca148
commit 8760eef677
4 changed files with 70 additions and 19 deletions

View File

@ -518,6 +518,8 @@ parse_options(Host) ->
end, end,
LDAPEncrypt = ejabberd_config:get_local_option({ldap_encrypt, Host}), LDAPEncrypt = ejabberd_config:get_local_option({ldap_encrypt, Host}),
LDAPTLSVerify = ejabberd_config:get_local_option({ldap_tls_verify, Host}), LDAPTLSVerify = ejabberd_config:get_local_option({ldap_tls_verify, Host}),
LDAPTLSCAFile = ejabberd_config:get_local_option({ldap_tls_cacertfile, Host}),
LDAPTLSDepth = ejabberd_config:get_local_option({ldap_tls_depth, Host}),
LDAPPort = case ejabberd_config:get_local_option({ldap_port, Host}) of LDAPPort = case ejabberd_config:get_local_option({ldap_port, Host}) of
undefined -> case LDAPEncrypt of undefined -> case LDAPEncrypt of
tls -> ?LDAPS_PORT; tls -> ?LDAPS_PORT;
@ -565,7 +567,9 @@ parse_options(Host) ->
backups = LDAPBackups, backups = LDAPBackups,
port = LDAPPort, port = LDAPPort,
tls_options = [{encrypt, LDAPEncrypt}, tls_options = [{encrypt, LDAPEncrypt},
{tls_verify, LDAPTLSVerify}], {tls_verify, LDAPTLSVerify},
{tls_cacertfile, LDAPTLSCAFile},
{tls_depth, LDAPTLSDepth}],
dn = RootDN, dn = RootDN,
password = Password, password = Password,
base = LDAPBase, base = LDAPBase,

View File

@ -445,13 +445,28 @@ init({Hosts, Port, Rootdn, Passwd, Opts}) ->
end; end;
PT -> PT PT -> PT
end, end,
TLSOpts = case proplists:get_value(tls_verify, Opts) of CacertOpts = case proplists:get_value(tls_cacertfile, Opts) of
soft -> [_|_] = Path -> [{cacertfile, Path}];
[{verify, 1}]; _ -> []
hard -> end,
[{verify, 2}]; DepthOpts = case proplists:get_value(tls_depth, Opts) of
_ -> Depth when is_integer(Depth), Depth >= 0 ->
[{verify, 0}] [{depth, Depth}];
_ -> []
end,
Verify = proplists:get_value(tls_verify, Opts),
TLSOpts = if (Verify == hard orelse Verify == soft)
andalso CacertOpts == [] ->
?WARNING_MSG("TLS verification is enabled "
"but no CA certfiles configured, so "
"verification is disabled.", []),
[];
Verify == soft ->
[{verify, 1}] ++ CacertOpts ++ DepthOpts;
Verify == hard ->
[{verify, 2}] ++ CacertOpts ++ DepthOpts;
true ->
[]
end, end,
{ok, connecting, #eldap{hosts = Hosts, {ok, connecting, #eldap{hosts = Hosts,
port = PortTemp, port = PortTemp,
@ -957,18 +972,21 @@ polish([], Res, Ref) ->
connect_bind(S) -> connect_bind(S) ->
Host = next_host(S#eldap.host, S#eldap.hosts), Host = next_host(S#eldap.host, S#eldap.hosts),
?INFO_MSG("LDAP connection on ~s:~p", [Host, S#eldap.port]), ?INFO_MSG("LDAP connection on ~s:~p", [Host, S#eldap.port]),
Opts = if S#eldap.tls == tls ->
[{packet, asn1}, {active, true}, {keepalive, true},
binary | S#eldap.tls_options];
true ->
[{packet, asn1}, {active, true}, {keepalive, true},
{send_timeout, ?SEND_TIMEOUT}, binary]
end,
SocketData = case S#eldap.tls of SocketData = case S#eldap.tls of
tls -> tls ->
SockMod = ssl, SockMod = ssl,
SslOpts = [{packet, asn1}, {active, true}, {keepalive, true}, ssl:connect(Host, S#eldap.port, Opts);
binary | S#eldap.tls_options],
ssl:connect(Host, S#eldap.port, SslOpts);
%% starttls -> %% TODO: Implement STARTTLS; %% starttls -> %% TODO: Implement STARTTLS;
_ -> _ ->
SockMod = gen_tcp, SockMod = gen_tcp,
TcpOpts = [{packet, asn1}, {active, true}, {keepalive, true}, gen_tcp:connect(Host, S#eldap.port, Opts)
{send_timeout, ?SEND_TIMEOUT}, binary],
gen_tcp:connect(Host, S#eldap.port, TcpOpts)
end, end,
case SocketData of case SocketData of
{ok, Socket} -> {ok, Socket} ->
@ -986,8 +1004,11 @@ connect_bind(S) ->
{ok, connecting, NewS#eldap{host = Host}} {ok, connecting, NewS#eldap{host = Host}}
end; end;
{error, Reason} -> {error, Reason} ->
?ERROR_MSG("LDAP connection failed on ~s:~p~nReason: ~p", ?ERROR_MSG("LDAP connection failed:~n"
[Host, S#eldap.port, Reason]), "** Server: ~s:~p~n"
"** Reason: ~p~n"
"** Socket options: ~p",
[Host, S#eldap.port, Reason, Opts]),
NewS = close_and_retry(S), NewS = close_and_retry(S),
{ok, connecting, NewS#eldap{host = Host}} {ok, connecting, NewS#eldap{host = Host}}
end. end.

View File

@ -495,6 +495,17 @@ parse_options(Host, Opts) ->
ejabberd_config:get_local_option({ldap_tls_verify, Host}); ejabberd_config:get_local_option({ldap_tls_verify, Host});
Verify -> Verify Verify -> Verify
end, end,
LDAPTLSCAFile = case gen_mod:get_opt(ldap_tls_cacertfile, Opts, undefined) of
undefined ->
ejabberd_config:get_local_option({ldap_tls_cacertfile, Host});
CAFile -> CAFile
end,
LDAPTLSDepth = case gen_mod:get_opt(ldap_tls_depth, Opts, undefined) of
undefined ->
ejabberd_config:get_local_option({ldap_tls_depth, Host});
Depth ->
Depth
end,
LDAPPort = case gen_mod:get_opt(ldap_port, Opts, undefined) of LDAPPort = case gen_mod:get_opt(ldap_port, Opts, undefined) of
undefined -> undefined ->
case ejabberd_config:get_local_option({ldap_port, Host}) of case ejabberd_config:get_local_option({ldap_port, Host}) of
@ -666,7 +677,9 @@ parse_options(Host, Opts) ->
backups = LDAPBackups, backups = LDAPBackups,
port = LDAPPort, port = LDAPPort,
tls_options = [{encrypt, LDAPEncrypt}, tls_options = [{encrypt, LDAPEncrypt},
{tls_verify, LDAPTLSVerify}], {tls_verify, LDAPTLSVerify},
{tls_cacertfile, LDAPTLSCAFile},
{tls_depth, LDAPTLSDepth}],
dn = RootDN, dn = RootDN,
base = LDAPBase, base = LDAPBase,
password = Password, password = Password,

View File

@ -672,6 +672,17 @@ parse_options(Host, Opts) ->
ejabberd_config:get_local_option({ldap_tls_verify, Host}); ejabberd_config:get_local_option({ldap_tls_verify, Host});
Verify -> Verify Verify -> Verify
end, end,
LDAPTLSCAFile = case gen_mod:get_opt(ldap_tls_cacertfile, Opts, undefined) of
undefined ->
ejabberd_config:get_local_option({ldap_tls_cacertfile, Host});
CAFile -> CAFile
end,
LDAPTLSDepth = case gen_mod:get_opt(ldap_tls_depth, Opts, undefined) of
undefined ->
ejabberd_config:get_local_option({ldap_tls_depth, Host});
Depth ->
Depth
end,
LDAPPortTemp = case gen_mod:get_opt(ldap_port, Opts, undefined) of LDAPPortTemp = case gen_mod:get_opt(ldap_port, Opts, undefined) of
undefined -> undefined ->
ejabberd_config:get_local_option({ldap_port, Host}); ejabberd_config:get_local_option({ldap_port, Host});
@ -757,7 +768,9 @@ parse_options(Host, Opts) ->
backups = LDAPBackups, backups = LDAPBackups,
port = LDAPPort, port = LDAPPort,
tls_options = [{encrypt, LDAPEncrypt}, tls_options = [{encrypt, LDAPEncrypt},
{tls_verify, LDAPTLSVerify}], {tls_verify, LDAPTLSVerify},
{tls_cacertfile, LDAPTLSCAFile},
{tls_depth, LDAPTLSDepth}],
dn = RootDN, dn = RootDN,
base = LDAPBase, base = LDAPBase,
password = Password, password = Password,