From 845b532f90092638606c71a446bef10e5a45f3af Mon Sep 17 00:00:00 2001
From: Steffen Gebert <steffen.gebert@informatik.uni-wuerzburg.de>
Date: Thu, 9 Aug 2012 10:45:59 +0200
Subject: [PATCH] StartTLS is not supported in LdapUserService (issue 122)

By providing an URL in the format "ldap+tls://ldapserver.example.com",
you can now connect to LDAP servers that require StartTLS command.
---
 distrib/gitblit.properties           |  2 ++
 src/com/gitblit/LdapUserService.java | 19 +++++++++++++++++--
 2 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/distrib/gitblit.properties b/distrib/gitblit.properties
index 70718b67..a5a47b78 100644
--- a/distrib/gitblit.properties
+++ b/distrib/gitblit.properties
@@ -797,6 +797,8 @@ federation.sets =
 #
 
 # URL of the LDAP server.
+# To use encrypted transport, use either ldaps:// URL for SSL or ldap+tls:// to
+# send StartTLS command.
 #
 # SINCE 1.0.0
 realm.ldap.server = ldap://localhost
diff --git a/src/com/gitblit/LdapUserService.java b/src/com/gitblit/LdapUserService.java
index 61de01d9..38376b81 100644
--- a/src/com/gitblit/LdapUserService.java
+++ b/src/com/gitblit/LdapUserService.java
@@ -30,12 +30,15 @@ import com.gitblit.models.UserModel;
 import com.gitblit.utils.ArrayUtils;
 import com.gitblit.utils.StringUtils;
 import com.unboundid.ldap.sdk.Attribute;
+import com.unboundid.ldap.sdk.ExtendedResult;
 import com.unboundid.ldap.sdk.LDAPConnection;
 import com.unboundid.ldap.sdk.LDAPException;
 import com.unboundid.ldap.sdk.LDAPSearchException;
+import com.unboundid.ldap.sdk.ResultCode;
 import com.unboundid.ldap.sdk.SearchResult;
 import com.unboundid.ldap.sdk.SearchResultEntry;
 import com.unboundid.ldap.sdk.SearchScope;
+import com.unboundid.ldap.sdk.extensions.StartTLSExtendedRequest;
 import com.unboundid.util.ssl.SSLUtil;
 import com.unboundid.util.ssl.TrustAllTrustManager;
 
@@ -81,10 +84,22 @@ public class LdapUserService extends GitblitUserService {
 				if (ldapPort == -1)	// Default Port
 					ldapPort = 389;
 				
-				return new LDAPConnection(ldapUrl.getHost(), ldapPort, bindUserName, bindPassword);
+				LDAPConnection conn = new LDAPConnection(ldapUrl.getHost(), ldapPort, bindUserName, bindPassword);
+
+				if (ldapUrl.getScheme().equalsIgnoreCase("ldap+tls")) {
+					SSLUtil sslUtil = new SSLUtil(new TrustAllTrustManager());
+
+					ExtendedResult extendedResult = conn.processExtendedOperation(
+						new StartTLSExtendedRequest(sslUtil.createSSLContext()));
+
+					if (extendedResult.getResultCode() != ResultCode.SUCCESS) {
+						throw new LDAPException(extendedResult.getResultCode());
+					}
+				}
+				return conn;
 			}
 		} catch (URISyntaxException e) {
-			logger.error("Bad LDAP URL, should be in the form: ldap(s)://<server>:<port>", e);
+			logger.error("Bad LDAP URL, should be in the form: ldap(s|+tls)://<server>:<port>", e);
 		} catch (GeneralSecurityException e) {
 			logger.error("Unable to create SSL Connection", e);
 		} catch (LDAPException e) {
-- 
2.39.5