StartTLS is not supported in LdapUserService (issue 122)

By providing an URL in the format "ldap+tls://ldapserver.example.com",
you can now connect to LDAP servers that require StartTLS command.

diff --git a/distrib/gitblit.properties b/distrib/gitblit.properties
index 70718b670744775fcb54573f0ddafb63bb4470a5..a5a47b78ccb45b69a5451de34a7c142012944d6f 100644 (file)
--- a/distrib/gitblit.properties
+++ b/distrib/gitblit.properties
@@ -797,6 +797,8 @@ federation.sets =
 #\r
 \r
 # URL of the LDAP server.\r
+# To use encrypted transport, use either ldaps:// URL for SSL or ldap+tls:// to\r
+# send StartTLS command.\r
 #\r
 # SINCE 1.0.0\r
 realm.ldap.server = ldap://localhost\r

diff --git a/src/com/gitblit/LdapUserService.java b/src/com/gitblit/LdapUserService.java
index 61de01d989feaaf174fea608a3be82ced6d0de11..38376b81b60cab306467e7b3907baff351872173 100644 (file)
--- a/src/com/gitblit/LdapUserService.java
+++ b/src/com/gitblit/LdapUserService.java
@@ -30,12 +30,15 @@ import com.gitblit.models.UserModel;
 import com.gitblit.utils.ArrayUtils;\r
 import com.gitblit.utils.StringUtils;\r
 import com.unboundid.ldap.sdk.Attribute;\r
+import com.unboundid.ldap.sdk.ExtendedResult;\r
 import com.unboundid.ldap.sdk.LDAPConnection;\r
 import com.unboundid.ldap.sdk.LDAPException;\r
 import com.unboundid.ldap.sdk.LDAPSearchException;\r
+import com.unboundid.ldap.sdk.ResultCode;\r
 import com.unboundid.ldap.sdk.SearchResult;\r
 import com.unboundid.ldap.sdk.SearchResultEntry;\r
 import com.unboundid.ldap.sdk.SearchScope;\r
+import com.unboundid.ldap.sdk.extensions.StartTLSExtendedRequest;\r
 import com.unboundid.util.ssl.SSLUtil;\r
 import com.unboundid.util.ssl.TrustAllTrustManager;\r
 \r
@@ -81,10 +84,22 @@ public class LdapUserService extends GitblitUserService {
                                if (ldapPort == -1)     // Default Port\r
                                        ldapPort = 389;\r
                                \r
-                               return new LDAPConnection(ldapUrl.getHost(), ldapPort, bindUserName, bindPassword);\r
+                               LDAPConnection conn = new LDAPConnection(ldapUrl.getHost(), ldapPort, bindUserName, bindPassword);\r
+\r
+                               if (ldapUrl.getScheme().equalsIgnoreCase("ldap+tls")) {\r
+                                       SSLUtil sslUtil = new SSLUtil(new TrustAllTrustManager());\r
+\r
+                                       ExtendedResult extendedResult = conn.processExtendedOperation(\r
+                                               new StartTLSExtendedRequest(sslUtil.createSSLContext()));\r
+\r
+                                       if (extendedResult.getResultCode() != ResultCode.SUCCESS) {\r
+                                               throw new LDAPException(extendedResult.getResultCode());\r
+                                       }\r
+                               }\r
+                               return conn;\r
                        }\r
                } catch (URISyntaxException e) {\r
-                       logger.error("Bad LDAP URL, should be in the form: ldap(s)://<server>:<port>", e);\r
+                       logger.error("Bad LDAP URL, should be in the form: ldap(s|+tls)://<server>:<port>", e);\r
                } catch (GeneralSecurityException e) {\r
                        logger.error("Unable to create SSL Connection", e);\r
                } catch (LDAPException e) {\r