Chapril/xmpp.chapril.org-ejabberd
24
1
Fork 0
mirror of https://github.com/processone/ejabberd.git synced 2024-06-04 21:27:16 +02:00
Code Releases Activity

new option ldap_tls_verify is added (EJAB-1229)

Browse Source
This commit is contained in:
Evgeniy Khramtsov 2010-05-10 19:37:37 +10:00
parent 58590cf08d
commit f58d03c12e
5 changed files with 73 additions and 46 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
doc/guide.tex
View File

@ -2187,6 +2187,11 @@ Allowed values are: \term{none}, \term{tls}.
The value \term{tls} enables encryption by using LDAP over SSL. The value \term{tls} enables encryption by using LDAP over SSL.
Note that STARTTLS encryption is not supported. Note that STARTTLS encryption is not supported.
The default value is: \term{none}. The default value is: \term{none}.
\titem{\{ldap\_tls\_verify, false|soft|hard\}} \ind{options!ldap\_tls\_verify}
This option specifies whether to verify LDAP server certificate or not when TLS is enabled.
When \term{hard} is enabled \ejabberd{} doesn't proceed if a certificate is invalid.
When \term{soft} is enabled \ejabberd{} proceeds even if check fails.
The default is \term{false} which means no checks are performed.
\titem{\{ldap\_port, Number\}} \ind{options!ldap\_port}Port to connect to your LDAP server. \titem{\{ldap\_port, Number\}} \ind{options!ldap\_port}Port to connect to your LDAP server.
The default port is~389 if encryption is disabled; and 636 if encryption is enabled. The default port is~389 if encryption is disabled; and 636 if encryption is enabled.
If you configure a value, it is stored in \ejabberd{}'s database. If you configure a value, it is stored in \ejabberd{}'s database.

30
src/ejabberd_auth_ldap.erl
View File

@ -66,7 +66,7 @@
servers, servers,
backups, backups,
port, port,
encrypt, tls_options,
dn, dn,
password, password,
base, base,
@ -119,19 +119,19 @@ terminate(_Reason, _State) ->
init(Host) -> init(Host) ->
State = parse_options(Host), State = parse_options(Host),
eldap_pool:start_link(State#state.eldap_id, eldap_pool:start_link(State#state.eldap_id,
State#state.servers, State#state.servers,
State#state.backups, State#state.backups,
State#state.port, State#state.port,
State#state.dn, State#state.dn,
State#state.password, State#state.password,
State#state.encrypt), State#state.tls_options),
eldap_pool:start_link(State#state.bind_eldap_id, eldap_pool:start_link(State#state.bind_eldap_id,
State#state.servers, State#state.servers,
State#state.backups, State#state.backups,
State#state.port, State#state.port,
State#state.dn, State#state.dn,
State#state.password, State#state.password,
State#state.encrypt), State#state.tls_options),
{ok, State}. {ok, State}.
plain_password_required() -> plain_password_required() ->
@ -373,6 +373,7 @@ parse_options(Host) ->
Backups -> Backups Backups -> Backups
end, end,
LDAPEncrypt = ejabberd_config:get_local_option({ldap_encrypt, Host}), LDAPEncrypt = ejabberd_config:get_local_option({ldap_encrypt, Host}),
LDAPTLSVerify = ejabberd_config:get_local_option({ldap_tls_verify, Host}),
LDAPPort = case ejabberd_config:get_local_option({ldap_port, Host}) of LDAPPort = case ejabberd_config:get_local_option({ldap_port, Host}) of
undefined -> case LDAPEncrypt of undefined -> case LDAPEncrypt of
tls -> ?LDAPS_PORT; tls -> ?LDAPS_PORT;
@ -417,7 +418,8 @@ parse_options(Host) ->
servers = LDAPServers, servers = LDAPServers,
backups = LDAPBackups, backups = LDAPBackups,
port = LDAPPort, port = LDAPPort,
encrypt = LDAPEncrypt, tls_options = [{encrypt, LDAPEncrypt},
{tls_verify, LDAPTLSVerify}],
dn = RootDN, dn = RootDN,
password = Password, password = Password,
base = LDAPBase, base = LDAPBase,

50
src/eldap/eldap.erl
View File

@ -130,9 +130,10 @@ start_link(Name) ->
Reg_name = list_to_atom("eldap_" ++ Name), Reg_name = list_to_atom("eldap_" ++ Name),
gen_fsm:start_link({local, Reg_name}, ?MODULE, [], []). gen_fsm:start_link({local, Reg_name}, ?MODULE, [], []).
start_link(Name, Hosts, Port, Rootdn, Passwd, Encrypt) -> start_link(Name, Hosts, Port, Rootdn, Passwd, Opts) ->
Reg_name = list_to_atom("eldap_" ++ Name), Reg_name = list_to_atom("eldap_" ++ Name),
gen_fsm:start_link({local, Reg_name}, ?MODULE, {Hosts, Port, Rootdn, Passwd, Encrypt}, []). gen_fsm:start_link({local, Reg_name}, ?MODULE,
{Hosts, Port, Rootdn, Passwd, Opts}, []).
%%% -------------------------------------------------------------------- %%% --------------------------------------------------------------------
%%% Get status of connection. %%% Get status of connection.
@ -423,15 +424,19 @@ get_handle(Name) when is_list(Name) -> list_to_atom("eldap_" ++ Name).
%%---------------------------------------------------------------------- %%----------------------------------------------------------------------
init([]) -> init([]) ->
case get_config() of case get_config() of
{ok, Hosts, Rootdn, Passwd, Encrypt} -> {ok, Hosts, Rootdn, Passwd, Opts} ->
init({Hosts, Rootdn, Passwd, Encrypt}); init({Hosts, Rootdn, Passwd, Opts});
{error, Reason} -> {error, Reason} ->
{stop, Reason} {stop, Reason}
end; end;
init({Hosts, Port, Rootdn, Passwd, Encrypt}) -> init({Hosts, Port, Rootdn, Passwd, Opts}) ->
catch ssl:start(), catch ssl:start(),
{X1,X2,X3} = erlang:now(), {X1,X2,X3} = erlang:now(),
ssl:seed(integer_to_list(X1) ++ integer_to_list(X2) ++ integer_to_list(X3)), ssl:seed(integer_to_list(X1) ++ integer_to_list(X2) ++ integer_to_list(X3)),
Encrypt = case proplists:get_value(encrypt, Opts) of
tls -> tls;
_ -> none
end,
PortTemp = case Port of PortTemp = case Port of
undefined -> undefined ->
case Encrypt of case Encrypt of
@ -444,7 +449,14 @@ init({Hosts, Port, Rootdn, Passwd, Encrypt}) ->
end; end;
PT -> PT PT -> PT
end, end,
TLSOpts = [verify_none], TLSOpts = case proplists:get_value(tls_verify, Opts) of
soft ->
[{verify, 1}];
hard ->
[{verify, 2}];
_ ->
[{verify, 0}]
end,
{ok, connecting, #eldap{hosts = Hosts, {ok, connecting, #eldap{hosts = Hosts,
port = PortTemp, port = PortTemp,
rootdn = Rootdn, rootdn = Rootdn,
@ -958,7 +970,7 @@ connect_bind(S) ->
tls -> tls ->
SockMod = ssl, SockMod = ssl,
SslOpts = [{packet, asn1}, {active, true}, {keepalive, true}, SslOpts = [{packet, asn1}, {active, true}, {keepalive, true},
binary], binary | S#eldap.tls_options],
ssl:connect(Host, S#eldap.port, SslOpts); ssl:connect(Host, S#eldap.port, SslOpts);
%% starttls -> %% TODO: Implement STARTTLS; %% starttls -> %% TODO: Implement STARTTLS;
_ -> _ ->
@ -1074,8 +1086,8 @@ get_config() ->
case file:consult(File) of case file:consult(File) of
{ok, Entries} -> {ok, Entries} ->
case catch parse(Entries) of case catch parse(Entries) of
{ok, Hosts, Port, Rootdn, Passwd, Encrypt} -> {ok, Hosts, Port, Rootdn, Passwd, Opts} ->
{ok, Hosts, Port, Rootdn, Passwd, Encrypt}; {ok, Hosts, Port, Rootdn, Passwd, Opts};
{error, Reason} -> {error, Reason} ->
{error, Reason}; {error, Reason};
{'EXIT', Reason} -> {'EXIT', Reason} ->
@ -1091,7 +1103,7 @@ parse(Entries) ->
get_integer(port, Entries), get_integer(port, Entries),
get_list(rootdn, Entries), get_list(rootdn, Entries),
get_list(passwd, Entries), get_list(passwd, Entries),
get_atom(encrypt, Entries)}. get_list(options, Entries)}.
get_integer(Key, List) -> get_integer(Key, List) ->
case lists:keysearch(Key, 1, List) of case lists:keysearch(Key, 1, List) of
@ -1113,15 +1125,15 @@ get_list(Key, List) ->
throw({error, "No Entry in Config for " ++ atom_to_list(Key)}) throw({error, "No Entry in Config for " ++ atom_to_list(Key)})
end. end.
get_atom(Key, List) -> %% get_atom(Key, List) ->
case lists:keysearch(Key, 1, List) of %% case lists:keysearch(Key, 1, List) of
{value, {Key, Value}} when is_atom(Value) -> %% {value, {Key, Value}} when is_atom(Value) ->
Value; %% Value;
{value, {Key, _Value}} -> %% {value, {Key, _Value}} ->
throw({error, "Bad Value in Config for " ++ atom_to_list(Key)}); %% throw({error, "Bad Value in Config for " ++ atom_to_list(Key)});
false -> %% false ->
throw({error, "No Entry in Config for " ++ atom_to_list(Key)}) %% throw({error, "No Entry in Config for " ++ atom_to_list(Key)})
end. %% end.
get_hosts(Key, List) -> get_hosts(Key, List) ->
lists:map(fun({Key1, {A,B,C,D}}) when is_integer(A), lists:map(fun({Key1, {A,B,C,D}}) when is_integer(A),

22
src/eldap/eldap_pool.erl
View File

@ -49,18 +49,20 @@ search(PoolName, Opts) ->
modify_passwd(PoolName, DN, Passwd) -> modify_passwd(PoolName, DN, Passwd) ->
do_request(PoolName, {modify_passwd, [DN, Passwd]}). do_request(PoolName, {modify_passwd, [DN, Passwd]}).
start_link(Name, Hosts, Backups, Port, Rootdn, Passwd, Encrypt) -> start_link(Name, Hosts, Backups, Port, Rootdn, Passwd, Opts) ->
PoolName = make_id(Name), PoolName = make_id(Name),
pg2:create(PoolName), pg2:create(PoolName),
lists:foreach(fun(Host) -> lists:foreach(
ID = erlang:ref_to_list(make_ref()), fun(Host) ->
case catch eldap:start_link(ID, [Host|Backups], Port, Rootdn, Passwd, Encrypt) of ID = erlang:ref_to_list(make_ref()),
{ok, Pid} -> case catch eldap:start_link(ID, [Host|Backups], Port,
pg2:join(PoolName, Pid); Rootdn, Passwd, Opts) of
_ -> {ok, Pid} ->
error pg2:join(PoolName, Pid);
end _ ->
end, Hosts). error
end
end, Hosts).
%%==================================================================== %%====================================================================
%% Internal functions %% Internal functions

12
src/mod_vcard_ldap.erl
View File

@ -62,7 +62,7 @@
servers, servers,
backups, backups,
port, port,
encrypt, tls_options,
dn, dn,
base, base,
password, password,
@ -181,7 +181,7 @@ init([Host, Opts]) ->
State#state.port, State#state.port,
State#state.dn, State#state.dn,
State#state.password, State#state.password,
State#state.encrypt), State#state.tls_options),
case State#state.search of case State#state.search of
true -> true ->
ejabberd_router:register_route(State#state.myhost); ejabberd_router:register_route(State#state.myhost);
@ -686,6 +686,11 @@ parse_options(Host, Opts) ->
ejabberd_config:get_local_option({ldap_encrypt, Host}); ejabberd_config:get_local_option({ldap_encrypt, Host});
E -> E E -> E
end, end,
LDAPTLSVerify = case gen_mod:get_opt(ldap_tls_verify, Opts, undefined) of
undefined ->
ejabberd_config:get_local_option({ldap_tls_verify, Host});
Verify -> Verify
end,
LDAPPortTemp = case gen_mod:get_opt(ldap_port, Opts, undefined) of LDAPPortTemp = case gen_mod:get_opt(ldap_port, Opts, undefined) of
undefined -> undefined ->
ejabberd_config:get_local_option({ldap_port, Host}); ejabberd_config:get_local_option({ldap_port, Host});
@ -766,7 +771,8 @@ parse_options(Host, Opts) ->
servers = LDAPServers, servers = LDAPServers,
backups = LDAPBackups, backups = LDAPBackups,
port = LDAPPort, port = LDAPPort,
encrypt = LDAPEncrypt, tls_options = [{encrypt, LDAPEncrypt},
{tls_verify, LDAPTLSVerify}],
dn = RootDN, dn = RootDN,
base = LDAPBase, base = LDAPBase,
password = Password, password = Password,