From 7def11d7c352f13ce0f12715649359344cbba9a6 Mon Sep 17 00:00:00 2001
From: Mark Felder <feld@feld.me>
Date: Wed, 11 Sep 2024 12:45:33 -0400
Subject: LDAP Auth: fix TLS certificate verification

Currently we only support STARTTLS and it was not verifying certificate and hostname correctly. We must pass a custom fqdn_fun/1 function so it knows what value to compare against.
---
 lib/pleroma/web/auth/ldap_authenticator.ex | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

(limited to 'lib')

diff --git a/lib/pleroma/web/auth/ldap_authenticator.ex b/lib/pleroma/web/auth/ldap_authenticator.ex
index ea5620cf6..d31f34747 100644
--- a/lib/pleroma/web/auth/ldap_authenticator.ex
+++ b/lib/pleroma/web/auth/ldap_authenticator.ex
@@ -41,6 +41,7 @@ defmodule Pleroma.Web.Auth.LDAPAuthenticator do
     port = Keyword.get(ldap, :port, 389)
     ssl = Keyword.get(ldap, :ssl, false)
     sslopts = Keyword.get(ldap, :sslopts, [])
+    tlsopts = Keyword.get(ldap, :tlsopts, [])
 
     options =
       [{:port, port}, {:ssl, ssl}, {:timeout, @connection_timeout}] ++
@@ -54,7 +55,16 @@ defmodule Pleroma.Web.Auth.LDAPAuthenticator do
 
             case :eldap.start_tls(
                    connection,
-                   Keyword.get(ldap, :tlsopts, []),
+                   Keyword.merge(
+                     [
+                       verify: :verify_peer,
+                       cacerts: :certifi.cacerts(),
+                       customize_hostname_check: [
+                         fqdn_fun: fn _ -> to_charlist(host) end
+                       ]
+                     ],
+                     tlsopts
+                   ),
                    @connection_timeout
                  ) do
               :ok ->
-- 
cgit v1.2.3