From 639fd46fac8108305a02bdc95aaa3923034d798c Mon Sep 17 00:00:00 2001 From: Sergey Poznyakoff Date: Fri, 25 Jul 2014 17:48:54 +0300 Subject: Implement TLS in perl utilities. --- examples/ldappubkey | 68 +++++++++++++++++++++++++++++++++++++++++++++++-- examples/usergitconfig | 69 ++++++++++++++++++++++++++++++++++++++++++++++++-- 2 files changed, 133 insertions(+), 4 deletions(-) diff --git a/examples/ldappubkey b/examples/ldappubkey index 50fd97e..6073e73 100755 --- a/examples/ldappubkey +++ b/examples/ldappubkey @@ -63,6 +63,39 @@ Specifies the password to use with B. Name of the attribute to use instead of B. The LDAP record is searched using the filter B<(&(objectClass=posixAccount)(I=I))>. +=item B + +Use TLS + +=item B I + +Specifies the file that contains certificates for all of the Certificate +Authorities the client will recognize. + +=item B I + +Path of a directory that contains Certificate Authority certificates in +separate individual files. The B statement takes precedence +over B. + +=item B I + +Specifies the file that contains the client certificate. + +=item B I + +Specifies the file that contains the private key that matches the +certificate stored in the B file. + +=item B I + +Specifies acceptable cipher suite and preference order. + +=item B I + +Specifies what checks to perform on server certificates in a TLS session. +I is one of B, B, B, B or B. + =item B I Name of the attribute which holds the public key. Default is B. @@ -138,8 +171,11 @@ die "bad number of arguments; try perldoc $0 for more info" unless ($#ARGV == 0); ## Read configuration -foreach my $file ("/etc/ldap.conf", "/etc/ldap/ldap.conf", - "/etc/openldap/ldap.conf") { +my @config_files = ("/etc/ldap.conf", "/etc/ldap/ldap.conf", + "/etc/openldap/ldap.conf"); +unshift @config_files, $ENV{LDAP_CONF} if defined($ENV{LDAP_CONF}); + +foreach my $file (@config_files) { if (-e $file) { read_config_file($file); last; @@ -148,6 +184,34 @@ foreach my $file ("/etc/ldap.conf", "/etc/ldap/ldap.conf", my $ldap = Net::LDAP->new($config{'uri'}) or die("Unable to connect to LDAP server $config{'uri'}: $!"); + +if ($config{ssl} eq 'start_tls') { + my %args; + + $args{capath} = $config{tls_cacertdir} + if (defined($config{tls_cacertdir})); + $args{cafile} = $config{tls_cacert} + if (defined($config{tls_cacert})); + if ($config{tls_reqcert} eq 'none') { + $args{verify} = 'never'; + } elsif ($config{tls_reqcert} eq 'allow') { + $args{verify} = 'optional'; + } elsif ($config{tls_reqcert} eq 'demand' + or $config{tls_reqcert} eq 'hard') { + $args{verify} = 'require'; + } elsif ($config{tls_reqcert} eq 'try') { + $args{verify} = 'optional'; # FIXME: That's wrong + } + $args{clientcert} = $config{tls_cert} + if (defined($config{tls_cert})); + $args{clientkey} = $config{tls_key} + if (defined($config{tls_key})); + $args{ciphers} = $config{tls_cipher_suite} + if (defined($config{tls_cipher_suite})); + + assert($ldap->start_tls, "TLS negotiation"); +} + my @bindargs = (); if (defined($config{'binddn'})) { push(@bindargs, $config{'binddn'}); diff --git a/examples/usergitconfig b/examples/usergitconfig index 924bd6f..8199051 100755 --- a/examples/usergitconfig +++ b/examples/usergitconfig @@ -64,6 +64,39 @@ Specifies the password to use with B. Name of the attribute to use instead of B. The LDAP record is searched using the filter B<(&(objectClass=posixAccount)(I=I))>. + +=item B + +Use TLS + +=item B I + +Specifies the file that contains certificates for all of the Certificate +Authorities the client will recognize. + +=item B I + +Path of a directory that contains Certificate Authority certificates in +separate individual files. The B statement takes precedence +over B. + +=item B I + +Specifies the file that contains the client certificate. + +=item B I + +Specifies the file that contains the private key that matches the +certificate stored in the B file. + +=item B I + +Specifies acceptable cipher suite and preference order. + +=item B I + +Specifies what checks to perform on server certificates in a TLS session. +I is one of B, B, B, B or B. =back @@ -134,6 +167,35 @@ sub assert { sub ldap_connect { my $ldap = Net::LDAP->new($config{'uri'}) or die("Unable to connect to LDAP server $config{'uri'}: $!"); + + #if ($config{ldap_version}) {} + if ($config{ssl} eq 'start_tls') { + my %args; + + $args{capath} = $config{tls_cacertdir} + if (defined($config{tls_cacertdir})); + $args{cafile} = $config{tls_cacert} + if (defined($config{tls_cacert})); + if ($config{tls_reqcert} eq 'none') { + $args{verify} = 'never'; + } elsif ($config{tls_reqcert} eq 'allow') { + $args{verify} = 'optional'; + } elsif ($config{tls_reqcert} eq 'demand' + or $config{tls_reqcert} eq 'hard') { + $args{verify} = 'require'; + } elsif ($config{tls_reqcert} eq 'try') { + $args{verify} = 'optional'; # FIXME: That's wrong + } + $args{clientcert} = $config{tls_cert} + if (defined($config{tls_cert})); + $args{clientkey} = $config{tls_key} + if (defined($config{tls_key})); + $args{ciphers} = $config{tls_cipher_suite} + if (defined($config{tls_cipher_suite})); + + assert($ldap->start_tls, "TLS negotiation"); + } + my @bindargs = (); if (defined($config{'binddn'})) { push(@bindargs, $config{'binddn'}); @@ -152,8 +214,11 @@ die "bad number of arguments; try perldoc $0 for more info" unless ($#ARGV == 0); ## Read configuration -foreach my $file ("/etc/ldap.conf", "/etc/ldap/ldap.conf", - "/etc/openldap/ldap.conf") { +my @config_files = ("/etc/ldap.conf", "/etc/ldap/ldap.conf", + "/etc/openldap/ldap.conf"); +unshift @config_files, $ENV{LDAP_CONF} if defined($ENV{LDAP_CONF}); + +foreach my $file (@config_files) { if (-e $file) { read_config_file($file); last; -- cgit v1.2.1