From b1743fd8c4e39262af513d5af7be91cc5d77ad4c Mon Sep 17 00:00:00 2001 From: Square Play'n Date: Fri, 17 May 2019 16:41:53 +0200 Subject: [PATCH 1/3] LDAP signature verificatoin Conform https://www.rubydoc.info/github/ruby-ldap/ruby-net-ldap/Net/LDAP Untested. The certificate is present on the main server in the specified directory. --- config/initializers/ldap_authenticatable.rb | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/config/initializers/ldap_authenticatable.rb b/config/initializers/ldap_authenticatable.rb index f9715b5..12c16e4 100644 --- a/config/initializers/ldap_authenticatable.rb +++ b/config/initializers/ldap_authenticatable.rb @@ -9,7 +9,16 @@ module Strategies # have never used K2 before. class LdapAuthenticatable < Authenticatable def authenticate! - ldap = Net::LDAP.new + ldap = Net::LDAP.new( + # Enable LDAP signature verification + encryption: { + method: :simple_tls, + tls_options: { + ca_file: '/opt/k2/shared/config/tuesmartca.pem', + ssl_version: 'TLSv1_1' + } + } + ) ldap.host = cfg[:host] ldap.port = cfg[:port] || 389 ldap.auth "#{cfg[:domain]}\\#{login}", password From 35156882dcf16ad0348a7fdaa94ff4fd9e2b1cce Mon Sep 17 00:00:00 2001 From: Square Play'n Date: Fri, 17 May 2019 17:00:30 +0200 Subject: [PATCH 2/3] Move certificate path to configuration variable --- config/initializers/ldap_authenticatable.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/initializers/ldap_authenticatable.rb b/config/initializers/ldap_authenticatable.rb index 12c16e4..2bf4860 100644 --- a/config/initializers/ldap_authenticatable.rb +++ b/config/initializers/ldap_authenticatable.rb @@ -14,7 +14,7 @@ def authenticate! encryption: { method: :simple_tls, tls_options: { - ca_file: '/opt/k2/shared/config/tuesmartca.pem', + ca_file: cfg[:ldap_cert_path], ssl_version: 'TLSv1_1' } } From 28d271c9f2e2ea0f852153ddced21e56f4394906 Mon Sep 17 00:00:00 2001 From: Square Play'n Date: Fri, 17 May 2019 17:03:32 +0200 Subject: [PATCH 3/3] Add ldap_cert_path config var --- config/secrets.yml.example | 2 ++ 1 file changed, 2 insertions(+) diff --git a/config/secrets.yml.example b/config/secrets.yml.example index a43468c..8475923 100644 --- a/config/secrets.yml.example +++ b/config/secrets.yml.example @@ -28,7 +28,9 @@ production: # The domain is used to determine which domain your user falls under. # The host is used to connect to and try to bind to using the provided details # The treebase is used when searching for the user in the LDAP directory. + # The ldap_cert_path should point to a .pem certificate of the used LDAP server # ldap: # domain: YOUR_DOMAIN_HERE # host: ldap_server.example.org # treebase: OU=Users,DC=example,DC=org + # ldap_cert_path: /opt/k2/shared/config/certificate_name.pem