LDAP Auth: fix TLS certificate verification
Currently we only support STARTTLS and it was not verifying certificate and hostname correctly. We must pass a custom fqdn_fun/1 function so it knows what value to compare against.
This commit is contained in:
parent
20e82c7456
commit
7def11d7c3
3 changed files with 13 additions and 1 deletions
1
changelog.d/ldap-tls.fix
Normal file
1
changelog.d/ldap-tls.fix
Normal file
|
@ -0,0 +1 @@
|
|||
STARTTLS certificate and hostname verification for LDAP authentication
|
|
@ -41,6 +41,7 @@ defp ldap_user(name, password) do
|
|||
port = Keyword.get(ldap, :port, 389)
|
||||
ssl = Keyword.get(ldap, :ssl, false)
|
||||
sslopts = Keyword.get(ldap, :sslopts, [])
|
||||
tlsopts = Keyword.get(ldap, :tlsopts, [])
|
||||
|
||||
options =
|
||||
[{:port, port}, {:ssl, ssl}, {:timeout, @connection_timeout}] ++
|
||||
|
@ -54,7 +55,16 @@ defp ldap_user(name, password) do
|
|||
|
||||
case :eldap.start_tls(
|
||||
connection,
|
||||
Keyword.get(ldap, :tlsopts, []),
|
||||
Keyword.merge(
|
||||
[
|
||||
verify: :verify_peer,
|
||||
cacerts: :certifi.cacerts(),
|
||||
customize_hostname_check: [
|
||||
fqdn_fun: fn _ -> to_charlist(host) end
|
||||
]
|
||||
],
|
||||
tlsopts
|
||||
),
|
||||
@connection_timeout
|
||||
) do
|
||||
:ok ->
|
||||
|
|
1
mix.exs
1
mix.exs
|
@ -204,6 +204,7 @@ defp deps do
|
|||
{:oban_live_dashboard, "~> 0.1.1"},
|
||||
{:multipart, "~> 0.4.0", optional: true},
|
||||
{:argon2_elixir, "~> 4.0"},
|
||||
{:certifi, "~> 2.12"},
|
||||
|
||||
## dev & test
|
||||
{:phoenix_live_reload, "~> 1.3.3", only: :dev},
|
||||
|
|
Loading…
Reference in a new issue