diff options
| author | Jean-Philippe Lang <jp_lang@yahoo.fr> | 2018-09-23 13:28:36 +0000 |
|---|---|---|
| committer | Jean-Philippe Lang <jp_lang@yahoo.fr> | 2018-09-23 13:28:36 +0000 |
| commit | a9eaf563a5d24a2295f234453cec82811e908dd9 (patch) | |
| tree | 30a50e943ea15d367d66db403adb0c0b6e10ad71 /app/models/auth_source_ldap.rb | |
| parent | 2ef5ce247a895f28fb731da2ece940164f8ca19d (diff) | |
| download | redmine-a9eaf563a5d24a2295f234453cec82811e908dd9.tar.gz redmine-a9eaf563a5d24a2295f234453cec82811e908dd9.zip | |
Support self-signed LDAPS connections (#29606).
Patch by Gregor Schmidt.
git-svn-id: http://svn.redmine.org/redmine/trunk@17505 e93f8b46-1217-0410-a6f0-8f06a7374b81
Diffstat (limited to 'app/models/auth_source_ldap.rb')
| -rw-r--r-- | app/models/auth_source_ldap.rb | 46 |
1 files changed, 44 insertions, 2 deletions
diff --git a/app/models/auth_source_ldap.rb b/app/models/auth_source_ldap.rb index 8e380d456..c3939e8d5 100644 --- a/app/models/auth_source_ldap.rb +++ b/app/models/auth_source_ldap.rb @@ -37,6 +37,14 @@ class AuthSourceLdap < AuthSource before_validation :strip_ldap_attributes + safe_attributes 'ldap_mode' + + LDAP_MODES = [ + :ldap, + :ldaps_verify_none, + :ldaps_verify_peer + ] + def initialize(attributes=nil, *args) super self.port = 389 if self.port == 0 @@ -101,6 +109,31 @@ class AuthSourceLdap < AuthSource raise AuthSourceException.new(e.message) end + def ldap_mode + case + when tls && verify_peer + :ldaps_verify_peer + when tls && !verify_peer + :ldaps_verify_none + else + :ldap + end + end + + def ldap_mode=(ldap_mode) + case ldap_mode.try(:to_sym) + when :ldaps_verify_peer + self.tls = true + self.verify_peer = true + when :ldaps_verify_none + self.tls = true + self.verify_peer = false + else + self.tls = false + self.verify_peer = false + end + end + private def with_timeout(&block) @@ -143,9 +176,18 @@ class AuthSourceLdap < AuthSource def initialize_ldap_con(ldap_user, ldap_password) options = { :host => self.host, - :port => self.port, - :encryption => (self.tls ? :simple_tls : nil) + :port => self.port } + if tls + options[:encryption] = { + :method => :simple_tls, + # Always provide non-empty tls_options, to make sure, that all + # OpenSSL::SSL::SSLContext::DEFAULT_PARAMS as well as the default cert + # store are used. + :tls_options => { :verify_mode => verify_peer? ? OpenSSL::SSL::VERIFY_PEER : OpenSSL::SSL::VERIFY_NONE } + } + end + options.merge!(:auth => { :method => :simple, :username => ldap_user, :password => ldap_password }) unless ldap_user.blank? && ldap_password.blank? Net::LDAP.new options end |