commit: 7def11d7c352f13ce0f12715649359344cbba9a6
parent 20e82c7456b7045930a47eaea2b8aa6733a91f49
Author: Mark Felder <feld@feld.me>
Date: Wed, 11 Sep 2024 12:45:33 -0400
LDAP Auth: fix TLS certificate verification
Currently we only support STARTTLS and it was not verifying certificate and hostname correctly. We must pass a custom fqdn_fun/1 function so it knows what value to compare against.
Diffstat:
3 files changed, 13 insertions(+), 1 deletion(-)
diff --git a/changelog.d/ldap-tls.fix b/changelog.d/ldap-tls.fix
@@ -0,0 +1 @@
+STARTTLS certificate and hostname verification for LDAP authentication
diff --git a/lib/pleroma/web/auth/ldap_authenticator.ex b/lib/pleroma/web/auth/ldap_authenticator.ex
@@ -41,6 +41,7 @@ defmodule Pleroma.Web.Auth.LDAPAuthenticator do
port = Keyword.get(ldap, :port, 389)
ssl = Keyword.get(ldap, :ssl, false)
sslopts = Keyword.get(ldap, :sslopts, [])
+ tlsopts = Keyword.get(ldap, :tlsopts, [])
options =
[{:port, port}, {:ssl, ssl}, {:timeout, @connection_timeout}] ++
@@ -54,7 +55,16 @@ defmodule Pleroma.Web.Auth.LDAPAuthenticator do
case :eldap.start_tls(
connection,
- Keyword.get(ldap, :tlsopts, []),
+ Keyword.merge(
+ [
+ verify: :verify_peer,
+ cacerts: :certifi.cacerts(),
+ customize_hostname_check: [
+ fqdn_fun: fn _ -> to_charlist(host) end
+ ]
+ ],
+ tlsopts
+ ),
@connection_timeout
) do
:ok ->
diff --git a/mix.exs b/mix.exs
@@ -204,6 +204,7 @@ defmodule Pleroma.Mixfile do
{:oban_live_dashboard, "~> 0.1.1"},
{:multipart, "~> 0.4.0", optional: true},
{:argon2_elixir, "~> 4.0"},
+ {:certifi, "~> 2.12"},
## dev & test
{:phoenix_live_reload, "~> 1.3.3", only: :dev},
