From: Steffen Gebert Date: Thu, 9 Aug 2012 08:45:59 +0000 (+0200) Subject: StartTLS is not supported in LdapUserService (issue 122) X-Git-Tag: v1.1.0~29^2 X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=refs%2Fpull%2F23%2Fhead;p=gitblit.git StartTLS is not supported in LdapUserService (issue 122) By providing an URL in the format "ldap+tls://ldapserver.example.com", you can now connect to LDAP servers that require StartTLS command. --- diff --git a/distrib/gitblit.properties b/distrib/gitblit.properties index 70718b67..a5a47b78 100644 --- a/distrib/gitblit.properties +++ b/distrib/gitblit.properties @@ -797,6 +797,8 @@ federation.sets = # # URL of the LDAP server. +# To use encrypted transport, use either ldaps:// URL for SSL or ldap+tls:// to +# send StartTLS command. # # SINCE 1.0.0 realm.ldap.server = ldap://localhost diff --git a/src/com/gitblit/LdapUserService.java b/src/com/gitblit/LdapUserService.java index 61de01d9..38376b81 100644 --- a/src/com/gitblit/LdapUserService.java +++ b/src/com/gitblit/LdapUserService.java @@ -30,12 +30,15 @@ import com.gitblit.models.UserModel; import com.gitblit.utils.ArrayUtils; import com.gitblit.utils.StringUtils; import com.unboundid.ldap.sdk.Attribute; +import com.unboundid.ldap.sdk.ExtendedResult; import com.unboundid.ldap.sdk.LDAPConnection; import com.unboundid.ldap.sdk.LDAPException; import com.unboundid.ldap.sdk.LDAPSearchException; +import com.unboundid.ldap.sdk.ResultCode; import com.unboundid.ldap.sdk.SearchResult; import com.unboundid.ldap.sdk.SearchResultEntry; import com.unboundid.ldap.sdk.SearchScope; +import com.unboundid.ldap.sdk.extensions.StartTLSExtendedRequest; import com.unboundid.util.ssl.SSLUtil; import com.unboundid.util.ssl.TrustAllTrustManager; @@ -81,10 +84,22 @@ public class LdapUserService extends GitblitUserService { if (ldapPort == -1) // Default Port ldapPort = 389; - return new LDAPConnection(ldapUrl.getHost(), ldapPort, bindUserName, bindPassword); + LDAPConnection conn = new LDAPConnection(ldapUrl.getHost(), ldapPort, bindUserName, bindPassword); + + if (ldapUrl.getScheme().equalsIgnoreCase("ldap+tls")) { + SSLUtil sslUtil = new SSLUtil(new TrustAllTrustManager()); + + ExtendedResult extendedResult = conn.processExtendedOperation( + new StartTLSExtendedRequest(sslUtil.createSSLContext())); + + if (extendedResult.getResultCode() != ResultCode.SUCCESS) { + throw new LDAPException(extendedResult.getResultCode()); + } + } + return conn; } } catch (URISyntaxException e) { - logger.error("Bad LDAP URL, should be in the form: ldap(s)://:", e); + logger.error("Bad LDAP URL, should be in the form: ldap(s|+tls)://:", e); } catch (GeneralSecurityException e) { logger.error("Unable to create SSL Connection", e); } catch (LDAPException e) {