Commit 6ce85259 authored by sikeda's avatar sikeda
Browse files

[change] New parameter "use_tls" for LDAP settings in list config, datasources...

[change] New parameter "use_tls" for LDAP settings in list config, datasources and auth.conf.  Obsoleted parameters "use_ssl" and "use_start_tls" still can be used.

"use_tls" takes one of following values corresponding to old ones:
- "starttls" : use_ssl=0, use_start_tls=1.
- "ldaps"    : use_ssl=1, use_start_tls=0.
- "none"     : TLS/SSL is disabled.

[feature] Now STARTTLS may be enabled in LDAP datasource configuration of lists along with LDAPS.


git-svn-id: https://subversion.renater.fr/sympa/branches/sympa-6.2-branch@12772 05aa8bb8-cd2b-0410-b1d7-8918dfa770ce
parent c11b3e2a
......@@ -42,6 +42,7 @@ unless (
\%options,
( map {"$_=s"} @{Sympa::DatabaseDriver::LDAP->required_parameters},
@{Sympa::DatabaseDriver::LDAP->optional_parameters},
qw(use_ssl use_start_tls), # Deprecated as of 6.2.15
qw(filter scope)
),
qw(suffix:s attrs:s),
......@@ -57,6 +58,15 @@ if ($options{'help'}) {
exit 0;
}
# Parameters deprecated as of 6.2.15.
if ($options{use_start_tls}) {
$options{use_tls} = 'starttls';
} elsif ($options{use_ssl}) {
$options{use_tls} = 'ldaps';
}
delete $options{use_start_tls};
delete $options{use_ssl};
my $db = Sympa::Database->new('LDAP', %options);
unless ($db
and defined $options{'suffix'}
......@@ -128,11 +138,11 @@ sympa_test_ldap, sympa_test_ldap.pl - Testing LDAP connection for Sympa
[ --attrs=[ string,...|* ] ]
[ --bind_dn=string [ --bind_password=string ] ]
[ --port=string ] [ --scope=base|one|sub ]
[ --use_ssl=1|--use_start_tls=1
[ --use_tls=starttls|ldaps|none
[ --ca_file=string ] [ --ca_path=string ]
[ --ca_verify=none|optional|require ]
[ --ssl_cert=string ] [ --ssl_ciphers=string ] [ --ssl_key=string ]
[ --ssl_version=sslv2|sslv3|tlsv1|tlsv1_2|tlsv1_3 ] ]
[ --ssl_version=sslv2|sslv3|tlsv1|tlsv1_1|tlsv1_2 ] ]
sympa_test_ldap.pl --help
......@@ -151,4 +161,7 @@ L<Sympa::DatabaseDriver::LDAP>.
testldap.pl was renamed to sympa_test_ldap.pl on Sympa 6.2.
C<--use_ssl> and C<--use_start_tls> options were obsoleted by Sympa 6.2.15.
C<--use_tls> option would be used instead.
=cut
......@@ -1006,8 +1006,9 @@ sub _load_auth {
'alternative_email_attribute' => '(\w+)(,\w+)*',
'scope' => 'base|one|sub',
'authentication_info_url' => 'http(s)?:/.*',
'use_ssl' => '1',
'use_start_tls' => '1',
'use_tls' => 'starttls|ldaps|none',
'use_ssl' => '1', # Obsoleted
'use_start_tls' => '1', # Obsoleted
'ssl_version' => 'sslv2/3|sslv2|sslv3|tlsv1|tlsv1_1|tlsv1_2',
'ssl_ciphers' => '[\w:]+',
'ssl_cert' => '.+',
......@@ -1041,8 +1042,9 @@ sub _load_auth {
'scope' => 'base|one|sub',
'get_email_by_uid_filter' => '.+',
'email_attribute' => '\w+',
'use_ssl' => '1',
'use_start_tls' => '1',
'use_tls' => 'starttls|ldaps|none',
'use_ssl' => '1', # Obsoleted
'use_start_tls' => '1', # Obsoleted
'ssl_version' => 'sslv2/3|sslv2|sslv3|tlsv1|tlsv1_1|tlsv1_2',
'ssl_ciphers' => '[\w:]+',
'ssl_cert' => '.+',
......@@ -1067,8 +1069,9 @@ sub _load_auth {
'scope' => 'base|one|sub',
'get_email_by_uid_filter' => '.+',
'email_attribute' => '\w+',
'use_ssl' => '1',
'use_start_tls' => '1',
'use_tls' => 'starttls|ldaps|none',
'use_ssl' => '1', # Obsoleted
'use_start_tls' => '1', # Obsoleted
'ssl_version' => 'sslv2/3|sslv2|sslv3|tlsv1|tlsv1_1|tlsv1_2',
'ssl_ciphers' => '[\w:]+',
'ssl_cert' => '.+',
......@@ -1140,6 +1143,14 @@ sub _load_auth {
## process current paragraph
if (/^\s+$/o || eof(IN)) {
if (defined($current_paragraph)) {
# Parameters obsoleted as of 6.2.15.
if ($current_paragraph->{use_start_tls}) {
$current_paragraph->{use_tls} = 'starttls';
} elsif ($current_paragraph->{use_ssl}) {
$current_paragraph->{use_tls} = 'ldaps';
}
delete $current_paragraph->{use_start_tls};
delete $current_paragraph->{use_ssl};
if ($current_paragraph->{'auth_type'} eq 'cas') {
unless (defined $current_paragraph->{'base_url'}) {
......
......@@ -37,7 +37,7 @@ my $log = Sympa::Log->instance;
use constant required_parameters => [qw(host)];
use constant optional_parameters => [
qw(port bind_dn bind_password
use_ssl use_start_tls ssl_version ssl_ciphers
use_tls ssl_version ssl_ciphers
ssl_cert ssl_key ca_verify ca_path ca_file)
];
use constant required_modules => [qw(Net::LDAP)];
......@@ -48,6 +48,8 @@ sub _new {
my $db_type = shift;
my %params = @_;
$params{use_tls} ||= 'none';
# Canonicalize host parameter to be "scheme://host:port".
# Note: Net::LDAP >= 0.40 is required to use ldaps: scheme.
my @hosts =
......@@ -58,19 +60,14 @@ sub _new {
foreach my $host (@hosts) {
$host .= ':' . $params{port}
if $params{port} and $host !~ m{:[-\w]+\z};
# Value of obsoleted use_ssl parameter may be '1' or 'yes' depending
# on the context.
$host = 'ldaps://' . $host
if $params{use_ssl}
and ($params{use_ssl} eq '1' or $params{use_ssl} eq 'yes')
and $host !~ m{\A[-\w]+://};
if $params{use_tls} eq 'ldaps' and $host !~ m{\A[-\w]+://};
$host = 'ldap://' . $host
if $host !~ m{\A[-\w]+://};
}
$params{_hosts} = [@hosts];
$params{host} = join ',', @hosts;
delete $params{port};
delete $params{use_ssl};
return bless {%params} => $class;
}
......@@ -78,8 +75,8 @@ sub _new {
sub _connect {
my $self = shift;
if ($self->{host} =~ m{\bldaps://} or $self->{use_start_tls}) {
# LDAPS and start_tls require IO::Socket::SSL.
if ($self->{host} =~ m{\bldaps://} or $self->{use_tls} eq 'starttls') {
# LDAPS and STARTTLS require IO::Socket::SSL.
unless ($IO::Socket::SSL::VERSION) {
$log->syslog('err', 'Can\'t load IO::Socket::SSL');
return undef;
......@@ -128,7 +125,7 @@ sub _connect {
my $host_entry = sprintf '%s://%s', $connection->scheme, $connection->uri;
# START_TLS if requested.
if ($self->{'use_start_tls'}) {
if ($self->{use_tls} eq 'starttls') {
my $mesg = $connection->start_tls(
verify => (
(not $self->{ca_verify}) ? 'optional'
......@@ -247,8 +244,19 @@ sub error {
Sympa::DatabaseDriver::LDAP - Database driver for LDAP search operation
=head1 DESCRIPTION
TBD.
=head1 SEE ALSO
L<Sympa::DatabaseDriver>, L<Sympa::Database>.
=head1 HISTORY
L<Sympa::DatabaseDriver::LDAP> appeared on Sympa 6.2.
On Sympa 6.2.15, C<use_ssl> and C<use_start_tls> options were deprecated and
replaced by C<use_tls>.
=cut
......@@ -5898,8 +5898,8 @@ sub _load_list_members_from_include {
# As CA certificate is required, take it from site config.
if ( ref $incl eq 'HASH'
and $incl->{use_ssl}
and $incl->{use_ssl} eq 'yes'
and $incl->{use_tls}
and $incl->{use_tls} ne 'none'
and not $incl->{ca_file}
and not $incl->{ca_path}) {
$incl->{ca_file} = $Conf::Conf{'cafile'}
......@@ -6170,8 +6170,8 @@ sub _load_list_admin_from_include {
# As CA certificate is required, take it from site config.
if ( ref $incl eq 'HASH'
and $incl->{use_ssl}
and $incl->{use_ssl} eq 'yes'
and $incl->{use_tls}
and $incl->{use_tls} ne 'none'
and not $incl->{ca_file}
and not $incl->{ca_path}) {
$incl->{ca_file} = $Conf::Conf{'cafile'}
......@@ -6558,8 +6558,8 @@ sub sync_include_ca {
# As CA certificate is required, take it from site config.
if ( ref $incl eq 'HASH'
and $incl->{use_ssl}
and $incl->{use_ssl} eq 'yes'
and $incl->{use_tls}
and $incl->{use_tls} ne 'none'
and not $incl->{ca_file}
and not $incl->{ca_path}) {
$incl->{ca_file} = $Conf::Conf{'cafile'}
......
......@@ -55,7 +55,13 @@ our %alias = (
'custom-header' => 'custom_header',
'subscription' => 'subscribe',
'unsubscription' => 'unsubscribe',
'max-size' => 'max_size'
'max-size' => 'max_size',
# "*.use_ssl (yes|no)" are mapped to "*.use_tls (ldaps|none)".
# See also each parameter definition.
'include_ldap_query.use_ssl' => 'use_tls', # 5.3a.2 - 6.2.14
'include_ldap_2level_query.use_ssl' => 'use_tls', # ,,
'include_ldap_ca.use_ssl' => 'use_tls', # 6.2a? - 6.2.14
'include_ldap_2level_ca.use_ssl' => 'use_tls', # ,,
);
our %pinfo = (
......@@ -1039,12 +1045,19 @@ our %pinfo = (
'obsolete' => 1,
'length' => 4
},
'use_ssl' => {
'order' => 2.5,
'gettext_id' => 'use SSL (LDAPS)',
'format' => ['yes', 'no'],
'default' => 'no'
},
'use_tls' => {
'order' => 2.4,
'gettext_id' => 'use TLS (formerly SSL)',
'format' => ['starttls', 'ldaps', 'none'],
'default' => 'none',
'synonym' => {'yes' => 'ldaps', 'no' => 'none'},
},
#'use_ssl' => {
# 'order' => 2.5,
# 'gettext_id' => 'use SSL (LDAPS)',
# 'format' => ['yes', 'no'],
# 'default' => 'no'
#},
'ssl_version' => {
'order' => 2.6,
'gettext_id' => 'SSL version',
......@@ -1149,12 +1162,19 @@ our %pinfo = (
'obsolete' => 1,
'length' => 4
},
'use_ssl' => {
'order' => 2.5,
'gettext_id' => 'use SSL (LDAPS)',
'format' => ['yes', 'no'],
'default' => 'no'
},
'use_tls' => {
'order' => 2.4,
'gettext_id' => 'use TLS (formerly SSL)',
'format' => ['starttls', 'ldaps', 'none'],
'default' => 'none',
'synonym' => {'yes' => 'ldaps', 'no' => 'none'},
},
#'use_ssl' => {
# 'order' => 2.5,
# 'gettext_id' => 'use SSL (LDAPS)',
# 'format' => ['yes', 'no'],
# 'default' => 'no'
#},
'ssl_version' => {
'order' => 2.6,
'gettext_id' => 'SSL version',
......@@ -1439,12 +1459,19 @@ our %pinfo = (
'obsolete' => 1,
'length' => 4
},
'use_ssl' => {
'order' => 2.5,
'gettext_id' => 'use SSL (LDAPS)',
'format' => ['yes', 'no'],
'default' => 'no'
},
'use_tls' => {
'order' => 2.4,
'gettext_id' => 'use TLS (formerly SSL)',
'format' => ['starttls', 'ldaps', 'none'],
'default' => 'none',
'synonym' => {'yes' => 'ldaps', 'no' => 'none'},
},
#'use_ssl' => {
# 'order' => 2.5,
# 'gettext_id' => 'use SSL (LDAPS)',
# 'format' => ['yes', 'no'],
# 'default' => 'no'
#},
'ssl_version' => {
'order' => 2.6,
'gettext_id' => 'SSL version',
......@@ -1555,12 +1582,19 @@ our %pinfo = (
'obsolete' => 1,
'length' => 4
},
'use_ssl' => {
'order' => 2.5,
'gettext_id' => 'use SSL (LDAPS)',
'format' => ['yes', 'no'],
'default' => 'no'
},
'use_tls' => {
'order' => 2.4,
'gettext_id' => 'use TLS (formerly SSL)',
'format' => ['starttls', 'ldaps', 'none'],
'default' => 'none',
'synonym' => {'yes' => 'ldaps', 'no' => 'none'},
},
#'use_ssl' => {
# 'order' => 2.5,
# 'gettext_id' => 'use SSL (LDAPS)',
# 'format' => ['yes', 'no'],
# 'default' => 'no'
#},
'ssl_version' => {
'order' => 2.6,
'gettext_id' => 'SSL version',
......
......@@ -96,9 +96,14 @@ my %list_option = (
'one' => {'gettext_id' => 'one level'},
'sub' => {'gettext_id' => 'subtree'},
# include_ldap_2level_query.use_ssl, include_ldap_query.use_ssl
'yes' => {'gettext_id' => 'yes'},
'no' => {'gettext_id' => 'no'},
# include_ldap_query.use_tls, include_ldap_2level_query.use_tls,
# include_ldap_ca.use_tls, include_ldap_2level_ca.use_tls
'starttls' => {'gettext_id' => 'use STARTTLS'},
'ldaps' => {'gettext_id' => 'use LDAPS (LDAP over TLS)'},
## include_ldap_2level_query.use_ssl, include_ldap_query.use_ssl
#'yes' => {'gettext_id' => 'yes'},
#'no' => {'gettext_id' => 'no'},
# include_ldap_2level_query.ssl_version, include_ldap_query.ssl_version
'sslv2' => {'gettext_id' => 'SSL version 2'},
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment