From 237faead29c2d0dfcc503fe80039a6d985764d81 Mon Sep 17 00:00:00 2001 From: =?utf8?q?G=C3=BCnter=20Dressel?= Date: Thu, 21 Nov 2013 18:13:18 +0100 Subject: [PATCH] Bind LDAP connection after TLS initialization (issue-343) --- releases.moxie | 2 + .../java/com/gitblit/LdapUserService.java | 57 +++++++++---------- 2 files changed, 29 insertions(+), 30 deletions(-) diff --git a/releases.moxie b/releases.moxie index 75d3f1a5..551771e2 100644 --- a/releases.moxie +++ b/releases.moxie @@ -11,6 +11,7 @@ r20: { security: ~ fixes: - Fixed support for implied SSH urls in web.otherUrls (issue-311) + - Bind LDAP connection after establishing TLS initialization (issue-343) - Fix potential NPE on removing uncached repository from cache - Ignore the default contents of .git/description file - Fix error on generating activity page when there is no activity @@ -69,6 +70,7 @@ r20: { - Chad Horohoe - Domingo Oropeza - Chris Graham + - Guenter Dressel } # diff --git a/src/main/java/com/gitblit/LdapUserService.java b/src/main/java/com/gitblit/LdapUserService.java index db38c528..5a2dbdc8 100644 --- a/src/main/java/com/gitblit/LdapUserService.java +++ b/src/main/java/com/gitblit/LdapUserService.java @@ -43,6 +43,7 @@ import com.unboundid.ldap.sdk.ResultCode; import com.unboundid.ldap.sdk.SearchResult; import com.unboundid.ldap.sdk.SearchResultEntry; import com.unboundid.ldap.sdk.SearchScope; +import com.unboundid.ldap.sdk.SimpleBindRequest; import com.unboundid.ldap.sdk.extensions.StartTLSExtendedRequest; import com.unboundid.util.ssl.SSLUtil; import com.unboundid.util.ssl.TrustAllTrustManager; @@ -161,46 +162,42 @@ public class LdapUserService extends GitblitUserService { private LDAPConnection getLdapConnection() { try { + URI ldapUrl = new URI(settings.getRequiredString(Keys.realm.ldap.server)); + String ldapHost = ldapUrl.getHost(); + int ldapPort = ldapUrl.getPort(); String bindUserName = settings.getString(Keys.realm.ldap.username, ""); String bindPassword = settings.getString(Keys.realm.ldap.password, ""); - int ldapPort = ldapUrl.getPort(); + + LDAPConnection conn; if (ldapUrl.getScheme().equalsIgnoreCase("ldaps")) { // SSL - if (ldapPort == -1) // Default Port - ldapPort = 636; - - LDAPConnection conn; SSLUtil sslUtil = new SSLUtil(new TrustAllTrustManager()); - if (StringUtils.isEmpty(bindUserName) && StringUtils.isEmpty(bindPassword)) { - conn = new LDAPConnection(sslUtil.createSSLSocketFactory(), ldapUrl.getHost(), ldapPort); - } else { - conn = new LDAPConnection(sslUtil.createSSLSocketFactory(), ldapUrl.getHost(), ldapPort, bindUserName, bindPassword); - } - return conn; + conn = new LDAPConnection(sslUtil.createSSLSocketFactory()); + } else if (ldapUrl.getScheme().equalsIgnoreCase("ldap") || ldapUrl.getScheme().equalsIgnoreCase("ldap+tls")) { // no encryption or StartTLS + conn = new LDAPConnection(); } else { - if (ldapPort == -1) // Default Port - ldapPort = 389; - - LDAPConnection conn; - if (StringUtils.isEmpty(bindUserName) && StringUtils.isEmpty(bindPassword)) { - conn = new LDAPConnection(ldapUrl.getHost(), ldapPort); - } else { - conn = new LDAPConnection(ldapUrl.getHost(), ldapPort, bindUserName, bindPassword); - } - - if (ldapUrl.getScheme().equalsIgnoreCase("ldap+tls")) { - SSLUtil sslUtil = new SSLUtil(new TrustAllTrustManager()); - - ExtendedResult extendedResult = conn.processExtendedOperation( + logger.error("Unsupported LDAP URL scheme: " + ldapUrl.getScheme()); + return null; + } + + conn.connect(ldapHost, ldapPort); + + if (ldapUrl.getScheme().equalsIgnoreCase("ldap+tls")) { + SSLUtil sslUtil = new SSLUtil(new TrustAllTrustManager()); + ExtendedResult extendedResult = conn.processExtendedOperation( new StartTLSExtendedRequest(sslUtil.createSSLContext())); - - if (extendedResult.getResultCode() != ResultCode.SUCCESS) { - throw new LDAPException(extendedResult.getResultCode()); - } + if (extendedResult.getResultCode() != ResultCode.SUCCESS) { + throw new LDAPException(extendedResult.getResultCode()); } - return conn; } + + if ( ! StringUtils.isEmpty(bindUserName) || ! StringUtils.isEmpty(bindPassword)) { + conn.bind(new SimpleBindRequest(bindUserName, bindPassword)); + } + + return conn; + } catch (URISyntaxException e) { logger.error("Bad LDAP URL, should be in the form: ldap(s|+tls)://:", e); } catch (GeneralSecurityException e) { -- 2.39.5