Bind LDAP connection after TLS initialization (issue-343)

releases.moxie

     security: ~
     fixes:
 	- Fixed support for implied SSH urls in web.otherUrls (issue-311)
+	- Bind LDAP connection after establishing TLS initialization (issue-343)
 	- Fix potential NPE on removing uncached repository from cache
 	- Ignore the default contents of .git/description file
 	- Fix error on generating activity page when there is no activity
 	- Chad Horohoe
 	- Domingo Oropeza
 	- Chris Graham
+	- Guenter Dressel
 }
 
 #

src/main/java/com/gitblit/LdapUserService.java

 import com.unboundid.ldap.sdk.SearchResult;
 import com.unboundid.ldap.sdk.SearchResultEntry;
 import com.unboundid.ldap.sdk.SearchScope;
+import com.unboundid.ldap.sdk.SimpleBindRequest;
 import com.unboundid.ldap.sdk.extensions.StartTLSExtendedRequest;
 import com.unboundid.util.ssl.SSLUtil;
 import com.unboundid.util.ssl.TrustAllTrustManager;
 
 	private LDAPConnection getLdapConnection() {
 		try {
+			
 			URI ldapUrl = new URI(settings.getRequiredString(Keys.realm.ldap.server));
+			String ldapHost = ldapUrl.getHost();
+			int ldapPort = ldapUrl.getPort();
 			String bindUserName = settings.getString(Keys.realm.ldap.username, "");
 			String bindPassword = settings.getString(Keys.realm.ldap.password, "");
-			int ldapPort = ldapUrl.getPort();
 
+			
+			LDAPConnection conn;
 			if (ldapUrl.getScheme().equalsIgnoreCase("ldaps")) {	// SSL
-				if (ldapPort == -1)	// Default Port
-					ldapPort = 636;
-
-				LDAPConnection conn;
 				SSLUtil sslUtil = new SSLUtil(new TrustAllTrustManager());
-				if (StringUtils.isEmpty(bindUserName) && StringUtils.isEmpty(bindPassword)) {
-					 conn = new LDAPConnection(sslUtil.createSSLSocketFactory(), ldapUrl.getHost(), ldapPort);
-				} else {
-					 conn = new LDAPConnection(sslUtil.createSSLSocketFactory(), ldapUrl.getHost(), ldapPort, bindUserName, bindPassword);
-				}
-				return conn;
+				conn = new LDAPConnection(sslUtil.createSSLSocketFactory());
+			} else if (ldapUrl.getScheme().equalsIgnoreCase("ldap") || ldapUrl.getScheme().equalsIgnoreCase("ldap+tls")) {	// no encryption or StartTLS
+				conn = new LDAPConnection();
 			} else {
-				if (ldapPort == -1)	// Default Port
-					ldapPort = 389;
-
-				LDAPConnection conn;
-				if (StringUtils.isEmpty(bindUserName) && StringUtils.isEmpty(bindPassword)) {
-					conn = new LDAPConnection(ldapUrl.getHost(), ldapPort);
-				} else {
-					conn = new LDAPConnection(ldapUrl.getHost(), ldapPort, bindUserName, bindPassword);
-				}
-
-				if (ldapUrl.getScheme().equalsIgnoreCase("ldap+tls")) {
-					SSLUtil sslUtil = new SSLUtil(new TrustAllTrustManager());
-
-					ExtendedResult extendedResult = conn.processExtendedOperation(
+				logger.error("Unsupported LDAP URL scheme: " + ldapUrl.getScheme());
+				return null;
+			}
+			
+			conn.connect(ldapHost, ldapPort);
+			
+			if (ldapUrl.getScheme().equalsIgnoreCase("ldap+tls")) {
+				SSLUtil sslUtil = new SSLUtil(new TrustAllTrustManager());
+				ExtendedResult extendedResult = conn.processExtendedOperation(
 						new StartTLSExtendedRequest(sslUtil.createSSLContext()));
-
-					if (extendedResult.getResultCode() != ResultCode.SUCCESS) {
-						throw new LDAPException(extendedResult.getResultCode());
-					}
+				if (extendedResult.getResultCode() != ResultCode.SUCCESS) {
+					throw new LDAPException(extendedResult.getResultCode());
 				}
-				return conn;
 			}
+
+			if ( ! StringUtils.isEmpty(bindUserName) || ! StringUtils.isEmpty(bindPassword)) {
+				conn.bind(new SimpleBindRequest(bindUserName, bindPassword));
+			}
+			
+			return conn;
+
 		} catch (URISyntaxException e) {
 			logger.error("Bad LDAP URL, should be in the form: ldap(s|+tls)://<server>:<port>", e);
 		} catch (GeneralSecurityException e) {