This repository has been archived by the owner on Apr 17, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 472
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
ldap: fixed a couple of bugs around SSL support
This commit fixes a couple of bugs present in both master and 2.3: 1. We didn't implement some options that needed to be passed to the LDAP backend to fully support SSL connections. This has been addressed also in the configuration, but without breaking existing installations (e.g. the `method` attribute from 2.3 has been left untouched). This will be addressed in later commits of the master branch (so in 2.4 users should adapt to this change). 2. We were relying on Devise's translations for failures, but some of them were not available. This has been addressed and improved: the error message will be more on point and more informative to end users. There is still room for improvement, but we can do it in later commits: let's keep this commit to the point so it can be cherry-picked into the 2.3 branch. Fixes #1746 Fixes #1774 bsc#1073232 Signed-off-by: Miquel Sabaté Solà <[email protected]>
- Loading branch information
Showing
11 changed files
with
693 additions
and
72 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,59 @@ | ||
# frozen_string_literal: true | ||
|
||
## | ||
# TODO: this should be re-purposed once we support health for LDAP | ||
|
||
require "net/ldap" | ||
|
||
puts case Portus::DB.ping | ||
when :ready | ||
"DB_READY" | ||
when :empty | ||
"DB_EMPTY" | ||
when :missing | ||
"DB_MISSING" | ||
when :down | ||
"DB_DOWN" | ||
else | ||
"DB_UNKNOWN" | ||
end | ||
|
||
params = { host: APP_CONFIG["ldap"]["hostname"], port: APP_CONFIG["ldap"]["port"] } | ||
|
||
# Fill authentication details. | ||
if APP_CONFIG.enabled?("ldap.authentication") | ||
params[:auth] = { | ||
method: :simple, | ||
username: APP_CONFIG["ldap"]["authentication"]["bind_dn"], | ||
password: APP_CONFIG["ldap"]["authentication"]["password"] | ||
} | ||
end | ||
|
||
# Fill TLS options with the given env. variables or assume defaults. | ||
if APP_CONFIG["ldap"]["encryption"]["method"].present? | ||
params[:encryption] = { method: APP_CONFIG["ldap"]["encryption"]["method"].to_sym } | ||
|
||
if APP_CONFIG["ldap"]["encryption"]["options"]["ca_file"].present? | ||
params[:encryption][:tls_options] = { | ||
ca_file: APP_CONFIG["ldap"]["encryption"]["options"]["ca_file"], | ||
ssl_version: APP_CONFIG["ldap"]["encryption"]["options"]["ssl_version"] | ||
} | ||
else | ||
params[:encryption][:tls_options] = OpenSSL::SSL::SSLContext::DEFAULT_PARAMS | ||
end | ||
end | ||
|
||
if APP_CONFIG.disabled?("ldap") | ||
puts "LDAP_DISABLED" | ||
else | ||
ldap = Net::LDAP.new(params) | ||
begin | ||
if ldap.bind | ||
puts "LDAP_OK" | ||
else | ||
puts "LDAP_FAIL" | ||
end | ||
rescue Net::LDAP::Error | ||
puts "LDAP_FAIL" | ||
end | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.