LDAP TLS patch (ref: bug 250916)
Seth Daniel
bugzilla-developers at sethdaniel.org
Thu Sep 23 22:13:34 UTC 2004
Hello,
I see that there is a bug open for adding LDAP TLS support to the LDAP
authentication backend for bugzilla. Is there any traction besides what
is in the bugzilla database? (I am guessing not).
https://bugzilla.mozilla.org/show_bug.cgi?id=250916
My patch does a bit more than the patch that is currently attached to
the above bug. Sometimes the LDAP server will request that the client
present a client certificate. If the client does not present a
certificate then (depending on the server configuration) the clients
request to start tls could be rejected.
We are currently using this patch with Bugzilla 2.18rc2 where I work.
I would appreciate all the help I can get with this patch and eventually
getting TLS support in the Bugzilla release(s). The patch below applies
cleanly to CVS HEAD.
Thanks.
--- Bugzilla/Auth/Verify/LDAP.pm 2004-09-23 16:58:09.000000000 -0700
+++ Bugzilla/Auth/Verify/LDAP.pm.new 2004-09-23 16:58:43.000000000 -0700
@@ -67,6 +67,39 @@
return (AUTH_ERROR, undef, "connect_failed");
}
+ my $LDAPUseTLS = Param("LDAPUseTLS");
+ if ($LDAPUseTLS) {
+ my %start_tls_opts = ();
+
+ my $LDAPCAPath = Param("LDAPCAPath");
+ my $LDAPCAFile = Param("LDAPCAFile");
+ if (defined($LDAPCAFile)) {
+ $start_tls_opts{verify} = 'require';
+ $start_tls_opts{cafile} = $LDAPCAFile;
+ }
+ elsif (defined($LDAPCAPath)) {
+ $start_tls_opts{verify} = 'require';
+ $start_tls_opts{capath} = $LDAPCAPath;
+ }
+ else {
+ $start_tls_opts{verify} = 'none';
+ }
+
+ my $LDAPCertFile = Param("LDAPCertFile");
+ if (defined($LDAPCertFile)) {
+ $start_tls_opts{clientcert} = $LDAPCertFile;
+ }
+
+ my $LDAPKeyFile = Param("LDAPKeyFile");
+ if (defined($LDAPCertFile)) {
+ $start_tls_opts{clientkey} = $LDAPKeyFile;
+ }
+
+ if (!$LDAPconn->start_tls(%start_tls_opts)) {
+ return(AUTH_ERROR, undef, "Unable to start TLS");
+ }
+ }
+
my $mesg;
if (Param("LDAPbinddn")) {
my ($LDAPbinddn,$LDAPbindpass) =
split(":",Param("LDAPbinddn"));
--- defparams.pl 2004-09-23 14:20:14.000000000 -0700
+++ defparams.pl.new 2004-09-23 16:57:19.000000000 -0700
@@ -410,6 +410,47 @@
},
{
+ name => 'LDAPUseTLS',
+ desc => 'Use START TLS when connecting to the LDAP server',
+ type => 'b',
+ default => '0'
+ },
+
+ {
+ name => 'LDAPCAFile',
+ desc => 'Full path to CA certificate (only used if LDAPUseTLS is
true). ' .
+ 'Do not set if you use LDAPCAPath.',
+ type => 't',
+ default => ''
+ },
+
+ {
+ name => 'LDAPCAPath',
+ desc => 'Full path to CA certificate directory (only used if
LDAPUseTLS ' .
+ 'is true). Do not set if you use LDAPCAFile.',
+ type => 't',
+ default => ''
+ },
+
+ {
+ name => 'LDAPCertFile',
+ desc => 'Full path to LDAP client certificate (only used if
LDAPUseTLS ' .
+ 'is true). This is only needed if the server requires that
the' .
+ 'client pass a certificate to the server.',
+ type => 't',
+ default => ''
+ },
+
+ {
+ name => 'LDAPKeyFile',
+ desc => 'Full path to LDAP client key (only used if LDAPUseTLS ' .
+ 'is true). This is only needed if the server requires that
the' .
+ 'client pass a certificate to the server.',
+ type => 't',
+ default => ''
+ },
+
+ {
name => 'LDAPuidattribute',
desc => 'The name of the attribute containing the user\'s login
name.',
type => 't',
More information about the developers
mailing list