From 845b532f90092638606c71a446bef10e5a45f3af Mon Sep 17 00:00:00 2001 From: Steffen Gebert Date: Thu, 9 Aug 2012 10:45:59 +0200 Subject: [PATCH] StartTLS is not supported in LdapUserService (issue 122) By providing an URL in the format "ldap+tls://ldapserver.example.com", you can now connect to LDAP servers that require StartTLS command. --- distrib/gitblit.properties | 2 ++ src/com/gitblit/LdapUserService.java | 19 +++++++++++++++++-- 2 files changed, 19 insertions(+), 2 deletions(-) diff --git a/distrib/gitblit.properties b/distrib/gitblit.properties index 70718b67..a5a47b78 100644 --- a/distrib/gitblit.properties +++ b/distrib/gitblit.properties @@ -797,6 +797,8 @@ federation.sets = # # URL of the LDAP server. +# To use encrypted transport, use either ldaps:// URL for SSL or ldap+tls:// to +# send StartTLS command. # # SINCE 1.0.0 realm.ldap.server = ldap://localhost diff --git a/src/com/gitblit/LdapUserService.java b/src/com/gitblit/LdapUserService.java index 61de01d9..38376b81 100644 --- a/src/com/gitblit/LdapUserService.java +++ b/src/com/gitblit/LdapUserService.java @@ -30,12 +30,15 @@ import com.gitblit.models.UserModel; import com.gitblit.utils.ArrayUtils; import com.gitblit.utils.StringUtils; import com.unboundid.ldap.sdk.Attribute; +import com.unboundid.ldap.sdk.ExtendedResult; import com.unboundid.ldap.sdk.LDAPConnection; import com.unboundid.ldap.sdk.LDAPException; import com.unboundid.ldap.sdk.LDAPSearchException; +import com.unboundid.ldap.sdk.ResultCode; import com.unboundid.ldap.sdk.SearchResult; import com.unboundid.ldap.sdk.SearchResultEntry; import com.unboundid.ldap.sdk.SearchScope; +import com.unboundid.ldap.sdk.extensions.StartTLSExtendedRequest; import com.unboundid.util.ssl.SSLUtil; import com.unboundid.util.ssl.TrustAllTrustManager; @@ -81,10 +84,22 @@ public class LdapUserService extends GitblitUserService { if (ldapPort == -1) // Default Port ldapPort = 389; - return new LDAPConnection(ldapUrl.getHost(), ldapPort, bindUserName, bindPassword); + LDAPConnection conn = new LDAPConnection(ldapUrl.getHost(), ldapPort, bindUserName, bindPassword); + + if (ldapUrl.getScheme().equalsIgnoreCase("ldap+tls")) { + SSLUtil sslUtil = new SSLUtil(new TrustAllTrustManager()); + + ExtendedResult extendedResult = conn.processExtendedOperation( + new StartTLSExtendedRequest(sslUtil.createSSLContext())); + + if (extendedResult.getResultCode() != ResultCode.SUCCESS) { + throw new LDAPException(extendedResult.getResultCode()); + } + } + return conn; } } catch (URISyntaxException e) { - logger.error("Bad LDAP URL, should be in the form: ldap(s)://:", e); + logger.error("Bad LDAP URL, should be in the form: ldap(s|+tls)://:", e); } catch (GeneralSecurityException e) { logger.error("Unable to create SSL Connection", e); } catch (LDAPException e) { -- 2.39.5