mirror of
https://github.com/processone/ejabberd.git
synced 2024-11-22 16:20:52 +01:00
Add ldap_tls_cacertfile and ldap_tls_depth options (EJAB-1299)
This commit is contained in:
parent
0b1f3ca148
commit
8760eef677
@ -518,6 +518,8 @@ parse_options(Host) ->
|
||||
end,
|
||||
LDAPEncrypt = ejabberd_config:get_local_option({ldap_encrypt, Host}),
|
||||
LDAPTLSVerify = ejabberd_config:get_local_option({ldap_tls_verify, Host}),
|
||||
LDAPTLSCAFile = ejabberd_config:get_local_option({ldap_tls_cacertfile, Host}),
|
||||
LDAPTLSDepth = ejabberd_config:get_local_option({ldap_tls_depth, Host}),
|
||||
LDAPPort = case ejabberd_config:get_local_option({ldap_port, Host}) of
|
||||
undefined -> case LDAPEncrypt of
|
||||
tls -> ?LDAPS_PORT;
|
||||
@ -565,7 +567,9 @@ parse_options(Host) ->
|
||||
backups = LDAPBackups,
|
||||
port = LDAPPort,
|
||||
tls_options = [{encrypt, LDAPEncrypt},
|
||||
{tls_verify, LDAPTLSVerify}],
|
||||
{tls_verify, LDAPTLSVerify},
|
||||
{tls_cacertfile, LDAPTLSCAFile},
|
||||
{tls_depth, LDAPTLSDepth}],
|
||||
dn = RootDN,
|
||||
password = Password,
|
||||
base = LDAPBase,
|
||||
|
@ -445,14 +445,29 @@ init({Hosts, Port, Rootdn, Passwd, Opts}) ->
|
||||
end;
|
||||
PT -> PT
|
||||
end,
|
||||
TLSOpts = case proplists:get_value(tls_verify, Opts) of
|
||||
soft ->
|
||||
[{verify, 1}];
|
||||
hard ->
|
||||
[{verify, 2}];
|
||||
_ ->
|
||||
[{verify, 0}]
|
||||
end,
|
||||
CacertOpts = case proplists:get_value(tls_cacertfile, Opts) of
|
||||
[_|_] = Path -> [{cacertfile, Path}];
|
||||
_ -> []
|
||||
end,
|
||||
DepthOpts = case proplists:get_value(tls_depth, Opts) of
|
||||
Depth when is_integer(Depth), Depth >= 0 ->
|
||||
[{depth, Depth}];
|
||||
_ -> []
|
||||
end,
|
||||
Verify = proplists:get_value(tls_verify, Opts),
|
||||
TLSOpts = if (Verify == hard orelse Verify == soft)
|
||||
andalso CacertOpts == [] ->
|
||||
?WARNING_MSG("TLS verification is enabled "
|
||||
"but no CA certfiles configured, so "
|
||||
"verification is disabled.", []),
|
||||
[];
|
||||
Verify == soft ->
|
||||
[{verify, 1}] ++ CacertOpts ++ DepthOpts;
|
||||
Verify == hard ->
|
||||
[{verify, 2}] ++ CacertOpts ++ DepthOpts;
|
||||
true ->
|
||||
[]
|
||||
end,
|
||||
{ok, connecting, #eldap{hosts = Hosts,
|
||||
port = PortTemp,
|
||||
rootdn = Rootdn,
|
||||
@ -957,18 +972,21 @@ polish([], Res, Ref) ->
|
||||
connect_bind(S) ->
|
||||
Host = next_host(S#eldap.host, S#eldap.hosts),
|
||||
?INFO_MSG("LDAP connection on ~s:~p", [Host, S#eldap.port]),
|
||||
Opts = if S#eldap.tls == tls ->
|
||||
[{packet, asn1}, {active, true}, {keepalive, true},
|
||||
binary | S#eldap.tls_options];
|
||||
true ->
|
||||
[{packet, asn1}, {active, true}, {keepalive, true},
|
||||
{send_timeout, ?SEND_TIMEOUT}, binary]
|
||||
end,
|
||||
SocketData = case S#eldap.tls of
|
||||
tls ->
|
||||
SockMod = ssl,
|
||||
SslOpts = [{packet, asn1}, {active, true}, {keepalive, true},
|
||||
binary | S#eldap.tls_options],
|
||||
ssl:connect(Host, S#eldap.port, SslOpts);
|
||||
ssl:connect(Host, S#eldap.port, Opts);
|
||||
%% starttls -> %% TODO: Implement STARTTLS;
|
||||
_ ->
|
||||
SockMod = gen_tcp,
|
||||
TcpOpts = [{packet, asn1}, {active, true}, {keepalive, true},
|
||||
{send_timeout, ?SEND_TIMEOUT}, binary],
|
||||
gen_tcp:connect(Host, S#eldap.port, TcpOpts)
|
||||
gen_tcp:connect(Host, S#eldap.port, Opts)
|
||||
end,
|
||||
case SocketData of
|
||||
{ok, Socket} ->
|
||||
@ -986,8 +1004,11 @@ connect_bind(S) ->
|
||||
{ok, connecting, NewS#eldap{host = Host}}
|
||||
end;
|
||||
{error, Reason} ->
|
||||
?ERROR_MSG("LDAP connection failed on ~s:~p~nReason: ~p",
|
||||
[Host, S#eldap.port, Reason]),
|
||||
?ERROR_MSG("LDAP connection failed:~n"
|
||||
"** Server: ~s:~p~n"
|
||||
"** Reason: ~p~n"
|
||||
"** Socket options: ~p",
|
||||
[Host, S#eldap.port, Reason, Opts]),
|
||||
NewS = close_and_retry(S),
|
||||
{ok, connecting, NewS#eldap{host = Host}}
|
||||
end.
|
||||
|
@ -495,6 +495,17 @@ parse_options(Host, Opts) ->
|
||||
ejabberd_config:get_local_option({ldap_tls_verify, Host});
|
||||
Verify -> Verify
|
||||
end,
|
||||
LDAPTLSCAFile = case gen_mod:get_opt(ldap_tls_cacertfile, Opts, undefined) of
|
||||
undefined ->
|
||||
ejabberd_config:get_local_option({ldap_tls_cacertfile, Host});
|
||||
CAFile -> CAFile
|
||||
end,
|
||||
LDAPTLSDepth = case gen_mod:get_opt(ldap_tls_depth, Opts, undefined) of
|
||||
undefined ->
|
||||
ejabberd_config:get_local_option({ldap_tls_depth, Host});
|
||||
Depth ->
|
||||
Depth
|
||||
end,
|
||||
LDAPPort = case gen_mod:get_opt(ldap_port, Opts, undefined) of
|
||||
undefined ->
|
||||
case ejabberd_config:get_local_option({ldap_port, Host}) of
|
||||
@ -666,7 +677,9 @@ parse_options(Host, Opts) ->
|
||||
backups = LDAPBackups,
|
||||
port = LDAPPort,
|
||||
tls_options = [{encrypt, LDAPEncrypt},
|
||||
{tls_verify, LDAPTLSVerify}],
|
||||
{tls_verify, LDAPTLSVerify},
|
||||
{tls_cacertfile, LDAPTLSCAFile},
|
||||
{tls_depth, LDAPTLSDepth}],
|
||||
dn = RootDN,
|
||||
base = LDAPBase,
|
||||
password = Password,
|
||||
|
@ -672,6 +672,17 @@ parse_options(Host, Opts) ->
|
||||
ejabberd_config:get_local_option({ldap_tls_verify, Host});
|
||||
Verify -> Verify
|
||||
end,
|
||||
LDAPTLSCAFile = case gen_mod:get_opt(ldap_tls_cacertfile, Opts, undefined) of
|
||||
undefined ->
|
||||
ejabberd_config:get_local_option({ldap_tls_cacertfile, Host});
|
||||
CAFile -> CAFile
|
||||
end,
|
||||
LDAPTLSDepth = case gen_mod:get_opt(ldap_tls_depth, Opts, undefined) of
|
||||
undefined ->
|
||||
ejabberd_config:get_local_option({ldap_tls_depth, Host});
|
||||
Depth ->
|
||||
Depth
|
||||
end,
|
||||
LDAPPortTemp = case gen_mod:get_opt(ldap_port, Opts, undefined) of
|
||||
undefined ->
|
||||
ejabberd_config:get_local_option({ldap_port, Host});
|
||||
@ -757,7 +768,9 @@ parse_options(Host, Opts) ->
|
||||
backups = LDAPBackups,
|
||||
port = LDAPPort,
|
||||
tls_options = [{encrypt, LDAPEncrypt},
|
||||
{tls_verify, LDAPTLSVerify}],
|
||||
{tls_verify, LDAPTLSVerify},
|
||||
{tls_cacertfile, LDAPTLSCAFile},
|
||||
{tls_depth, LDAPTLSDepth}],
|
||||
dn = RootDN,
|
||||
base = LDAPBase,
|
||||
password = Password,
|
||||
|
Loading…
Reference in New Issue
Block a user