diff options
| author | Mark Felder <feld@feld.me> | 2024-09-11 12:45:33 -0400 |
|---|---|---|
| committer | Mark Felder <feld@feld.me> | 2024-09-11 12:47:46 -0400 |
| commit | 7def11d7c352f13ce0f12715649359344cbba9a6 (patch) | |
| tree | e10ea83ecbadc77f265ae933fb8e2bee0e83e865 /lib | |
| parent | 20e82c7456b7045930a47eaea2b8aa6733a91f49 (diff) | |
| download | pleroma-7def11d7c352f13ce0f12715649359344cbba9a6.tar.gz pleroma-7def11d7c352f13ce0f12715649359344cbba9a6.zip | |
LDAP Auth: fix TLS certificate verification
Currently we only support STARTTLS and it was not verifying certificate and hostname correctly. We must pass a custom fqdn_fun/1 function so it knows what value to compare against.
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/pleroma/web/auth/ldap_authenticator.ex | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/lib/pleroma/web/auth/ldap_authenticator.ex b/lib/pleroma/web/auth/ldap_authenticator.ex index ea5620cf6..d31f34747 100644 --- a/lib/pleroma/web/auth/ldap_authenticator.ex +++ b/lib/pleroma/web/auth/ldap_authenticator.ex @@ -41,6 +41,7 @@ defmodule Pleroma.Web.Auth.LDAPAuthenticator do port = Keyword.get(ldap, :port, 389) ssl = Keyword.get(ldap, :ssl, false) sslopts = Keyword.get(ldap, :sslopts, []) + tlsopts = Keyword.get(ldap, :tlsopts, []) options = [{:port, port}, {:ssl, ssl}, {:timeout, @connection_timeout}] ++ @@ -54,7 +55,16 @@ defmodule Pleroma.Web.Auth.LDAPAuthenticator do case :eldap.start_tls( connection, - Keyword.get(ldap, :tlsopts, []), + Keyword.merge( + [ + verify: :verify_peer, + cacerts: :certifi.cacerts(), + customize_hostname_check: [ + fqdn_fun: fn _ -> to_charlist(host) end + ] + ], + tlsopts + ), @connection_timeout ) do :ok -> |