diff options
-rwxr-xr-x | examples/ldappubkey | 68 | ||||
-rwxr-xr-x | examples/usergitconfig | 69 |
2 files changed, 133 insertions, 4 deletions
diff --git a/examples/ldappubkey b/examples/ldappubkey index 50fd97e..6073e73 100755 --- a/examples/ldappubkey +++ b/examples/ldappubkey @@ -63,6 +63,39 @@ Specifies the password to use with B<binddn>. Name of the attribute to use instead of B<uid>. The LDAP record is searched using the filter B<(&(objectClass=posixAccount)(I<ATTR>=I<LOGIN>))>. +=item B<ssl start_tls> + +Use TLS + +=item B<tls_cacert> I<FILE> + +Specifies the file that contains certificates for all of the Certificate +Authorities the client will recognize. + +=item B<tls_cacertdir> I<DIR> + +Path of a directory that contains Certificate Authority certificates in +separate individual files. The B<tls_cacert> statement takes precedence +over B<tls_cacertdir>. + +=item B<tls_cert> I<FILE> + +Specifies the file that contains the client certificate. + +=item B<tls_key> I<FILE> + +Specifies the file that contains the private key that matches the +certificate stored in the B<tls_cert> file. + +=item B<tls_cipher_suite> I<SPEC> + +Specifies acceptable cipher suite and preference order. + +=item B<tls_reqcert> I<LEVEL> + +Specifies what checks to perform on server certificates in a TLS session. +I<LEVEL> is one of B<never>, B<allow>, B<try>, B<demand> or B<hard>. + =item B<publickeyattribute> I<ATTR> Name of the attribute which holds the public key. Default is B<grayPublicKey>. @@ -138,8 +171,11 @@ die "bad number of arguments; try perldoc $0 for more info" unless ($#ARGV == 0); ## Read configuration -foreach my $file ("/etc/ldap.conf", "/etc/ldap/ldap.conf", - "/etc/openldap/ldap.conf") { +my @config_files = ("/etc/ldap.conf", "/etc/ldap/ldap.conf", + "/etc/openldap/ldap.conf"); +unshift @config_files, $ENV{LDAP_CONF} if defined($ENV{LDAP_CONF}); + +foreach my $file (@config_files) { if (-e $file) { read_config_file($file); last; @@ -148,6 +184,34 @@ foreach my $file ("/etc/ldap.conf", "/etc/ldap/ldap.conf", my $ldap = Net::LDAP->new($config{'uri'}) or die("Unable to connect to LDAP server $config{'uri'}: $!"); + +if ($config{ssl} eq 'start_tls') { + my %args; + + $args{capath} = $config{tls_cacertdir} + if (defined($config{tls_cacertdir})); + $args{cafile} = $config{tls_cacert} + if (defined($config{tls_cacert})); + if ($config{tls_reqcert} eq 'none') { + $args{verify} = 'never'; + } elsif ($config{tls_reqcert} eq 'allow') { + $args{verify} = 'optional'; + } elsif ($config{tls_reqcert} eq 'demand' + or $config{tls_reqcert} eq 'hard') { + $args{verify} = 'require'; + } elsif ($config{tls_reqcert} eq 'try') { + $args{verify} = 'optional'; # FIXME: That's wrong + } + $args{clientcert} = $config{tls_cert} + if (defined($config{tls_cert})); + $args{clientkey} = $config{tls_key} + if (defined($config{tls_key})); + $args{ciphers} = $config{tls_cipher_suite} + if (defined($config{tls_cipher_suite})); + + assert($ldap->start_tls, "TLS negotiation"); +} + my @bindargs = (); if (defined($config{'binddn'})) { push(@bindargs, $config{'binddn'}); diff --git a/examples/usergitconfig b/examples/usergitconfig index 924bd6f..8199051 100755 --- a/examples/usergitconfig +++ b/examples/usergitconfig @@ -64,6 +64,39 @@ Specifies the password to use with B<binddn>. Name of the attribute to use instead of B<uid>. The LDAP record is searched using the filter B<(&(objectClass=posixAccount)(I<ATTR>=I<LOGIN>))>. + +=item B<ssl start_tls> + +Use TLS + +=item B<tls_cacert> I<FILE> + +Specifies the file that contains certificates for all of the Certificate +Authorities the client will recognize. + +=item B<tls_cacertdir> I<DIR> + +Path of a directory that contains Certificate Authority certificates in +separate individual files. The B<tls_cacert> statement takes precedence +over B<tls_cacertdir>. + +=item B<tls_cert> I<FILE> + +Specifies the file that contains the client certificate. + +=item B<tls_key> I<FILE> + +Specifies the file that contains the private key that matches the +certificate stored in the B<tls_cert> file. + +=item B<tls_cipher_suite> I<SPEC> + +Specifies acceptable cipher suite and preference order. + +=item B<tls_reqcert> I<LEVEL> + +Specifies what checks to perform on server certificates in a TLS session. +I<LEVEL> is one of B<never>, B<allow>, B<try>, B<demand> or B<hard>. =back @@ -134,6 +167,35 @@ sub assert { sub ldap_connect { my $ldap = Net::LDAP->new($config{'uri'}) or die("Unable to connect to LDAP server $config{'uri'}: $!"); + + #if ($config{ldap_version}) {} + if ($config{ssl} eq 'start_tls') { + my %args; + + $args{capath} = $config{tls_cacertdir} + if (defined($config{tls_cacertdir})); + $args{cafile} = $config{tls_cacert} + if (defined($config{tls_cacert})); + if ($config{tls_reqcert} eq 'none') { + $args{verify} = 'never'; + } elsif ($config{tls_reqcert} eq 'allow') { + $args{verify} = 'optional'; + } elsif ($config{tls_reqcert} eq 'demand' + or $config{tls_reqcert} eq 'hard') { + $args{verify} = 'require'; + } elsif ($config{tls_reqcert} eq 'try') { + $args{verify} = 'optional'; # FIXME: That's wrong + } + $args{clientcert} = $config{tls_cert} + if (defined($config{tls_cert})); + $args{clientkey} = $config{tls_key} + if (defined($config{tls_key})); + $args{ciphers} = $config{tls_cipher_suite} + if (defined($config{tls_cipher_suite})); + + assert($ldap->start_tls, "TLS negotiation"); + } + my @bindargs = (); if (defined($config{'binddn'})) { push(@bindargs, $config{'binddn'}); @@ -152,8 +214,11 @@ die "bad number of arguments; try perldoc $0 for more info" unless ($#ARGV == 0); ## Read configuration -foreach my $file ("/etc/ldap.conf", "/etc/ldap/ldap.conf", - "/etc/openldap/ldap.conf") { +my @config_files = ("/etc/ldap.conf", "/etc/ldap/ldap.conf", + "/etc/openldap/ldap.conf"); +unshift @config_files, $ENV{LDAP_CONF} if defined($ENV{LDAP_CONF}); + +foreach my $file (@config_files) { if (-e $file) { read_config_file($file); last; |