Support LDAP method start_tls
This commit is contained in:
parent
88a672fe88
commit
9338f061a3
@ -361,6 +361,8 @@ config :pleroma, :ldap,
|
||||
port: String.to_integer(System.get_env("LDAP_PORT") || "389"),
|
||||
ssl: System.get_env("LDAP_SSL") == "true",
|
||||
sslopts: [],
|
||||
tls: System.get_env("LDAP_TLS") == "true",
|
||||
tlsopts: [],
|
||||
base: System.get_env("LDAP_BASE") || "dc=example,dc=com",
|
||||
uid: System.get_env("LDAP_UID") || "cn"
|
||||
|
||||
|
@ -329,13 +329,21 @@ config :auto_linker,
|
||||
|
||||
## :ldap
|
||||
|
||||
Use LDAP for user authentication. When a user logs in to the Pleroma
|
||||
instance, the name and password will be verified by trying to authenticate
|
||||
(bind) to an LDAP server. If a user exists in the LDAP directory but there
|
||||
is no account with the same name yet on the Pleroma instance then a new
|
||||
Pleroma account will be created with the same name as the LDAP user name.
|
||||
|
||||
* `enabled`: enables LDAP authentication
|
||||
* `host`: LDAP server hostname
|
||||
* `port`: LDAP port, e.g. 389 or 636
|
||||
* `ssl`: true to use SSL
|
||||
* `ssl`: true to use SSL, usually implies the port 636
|
||||
* `sslopts`: additional SSL options
|
||||
* `tls`: true to start TLS, usually implies the port 389
|
||||
* `tlsopts`: additional TLS options
|
||||
* `base`: LDAP base, e.g. "dc=example,dc=com"
|
||||
* `uid`: attribute type to authenticate the user, e.g. when "cn", the filter will be "cn=username,base"
|
||||
* `uid`: LDAP attribute name to authenticate the user, e.g. when "cn", the filter will be "cn=username,base"
|
||||
|
||||
## Pleroma.Web.Auth.Authenticator
|
||||
|
||||
|
@ -60,6 +60,34 @@ defmodule Pleroma.Web.Auth.LDAPAuthenticator do
|
||||
case :eldap.open([to_charlist(host)], options) do
|
||||
{:ok, connection} ->
|
||||
try do
|
||||
if Keyword.get(ldap, :tls, false) do
|
||||
:application.ensure_all_started(:ssl)
|
||||
|
||||
case :eldap.start_tls(
|
||||
connection,
|
||||
Keyword.get(ldap, :tlsopts, []),
|
||||
@connection_timeout
|
||||
) do
|
||||
:ok ->
|
||||
:ok
|
||||
|
||||
error ->
|
||||
Logger.error("Could not start TLS: #{inspect(error)}")
|
||||
end
|
||||
end
|
||||
|
||||
bind_user(connection, ldap, name, password)
|
||||
after
|
||||
:eldap.close(connection)
|
||||
end
|
||||
|
||||
{:error, error} ->
|
||||
Logger.error("Could not open LDAP connection: #{inspect(error)}")
|
||||
{:error, {:ldap_connection_error, error}}
|
||||
end
|
||||
end
|
||||
|
||||
defp bind_user(connection, ldap, name, password) do
|
||||
uid = Keyword.get(ldap, :uid, "cn")
|
||||
base = Keyword.get(ldap, :base)
|
||||
|
||||
@ -76,14 +104,6 @@ defmodule Pleroma.Web.Auth.LDAPAuthenticator do
|
||||
error ->
|
||||
error
|
||||
end
|
||||
after
|
||||
:eldap.close(connection)
|
||||
end
|
||||
|
||||
{:error, error} ->
|
||||
Logger.error("Could not open LDAP connection: #{inspect(error)}")
|
||||
{:error, {:ldap_connection_error, error}}
|
||||
end
|
||||
end
|
||||
|
||||
defp register_user(connection, base, uid, name, password) do
|
||||
@ -91,6 +111,7 @@ defmodule Pleroma.Web.Auth.LDAPAuthenticator do
|
||||
{:base, to_charlist(base)},
|
||||
{:filter, :eldap.equalityMatch(to_charlist(uid), to_charlist(name))},
|
||||
{:scope, :eldap.wholeSubtree()},
|
||||
{:attributes, ['mail', 'email']},
|
||||
{:timeout, @search_timeout}
|
||||
]) do
|
||||
{:ok, {:eldap_search_result, [{:eldap_entry, _, attributes}], _}} ->
|
||||
@ -110,7 +131,9 @@ defmodule Pleroma.Web.Auth.LDAPAuthenticator do
|
||||
error -> error
|
||||
end
|
||||
else
|
||||
_ -> {:error, :ldap_registration_missing_attributes}
|
||||
_ ->
|
||||
Logger.error("Could not find LDAP attribute mail: #{inspect(attributes)}")
|
||||
{:error, :ldap_registration_missing_attributes}
|
||||
end
|
||||
|
||||
error ->
|
||||
|
Loading…
Reference in New Issue
Block a user