Adding LDAP StartTLS support

Some LDAP server do not allow authenticate with unencrypted password. This patch is adding the StartTLS support which takes care of the encryption. In order to enable the StartTLS, go to "System Settings" and select the "Enable StartTLS" in the Authentication section. Then make sure that you add your LDAP certificate into the Java keystore: $ keytool -import \ -file /etc/pki/tls/certs/cacert.pem \ -alias myName \ -keystore /var/lib/gitbucket/keystore You can list all keys from the keystore like this: $ keytool -list -keystore /var/lib/gitbucket/keystore
2025-11-05 21:15:49 +01:00 · 2013-11-01 15:44:19 +00:00
parent 34853d0322
commit f311339786
6 changed files with 52 additions and 9 deletions
--- a/src/main/scala/util/LDAPUtil.scala
+++ b/src/main/scala/util/LDAPUtil.scala
@@ -3,6 +3,8 @@ package util
 import util.ControlUtil._
 import service.SystemSettingsService
 import com.novell.ldap._
+import java.security.Security
+import org.slf4j.LoggerFactory
 import service.SystemSettingsService.Ldap
 import scala.annotation.tailrec

@@ -11,7 +13,8 @@ import scala.annotation.tailrec
 */
 object LDAPUtil {

-  private val LDAP_VERSION: Int = 3
+  private val LDAP_VERSION: Int = LDAPConnection.LDAP_V3
+  private val logger = LoggerFactory.getLogger("LDAPUtil")

  /**
   * Try authentication by LDAP using given configuration.
@@ -22,7 +25,8 @@ object LDAPUtil {
      ldapSettings.host,
      ldapSettings.port.getOrElse(SystemSettingsService.DefaultLdapPort),
      ldapSettings.bindDN.getOrElse(""),
-      ldapSettings.bindPassword.getOrElse("")
+      ldapSettings.bindPassword.getOrElse(""),
+      ldapSettings.tls.getOrElse(false)
    ) match {
      case Some(conn) => {
        withConnection(conn) { conn =>
@@ -41,7 +45,8 @@ object LDAPUtil {
      ldapSettings.host,
      ldapSettings.port.getOrElse(SystemSettingsService.DefaultLdapPort),
      userDN,
-      password
+      password,
+      ldapSettings.tls.getOrElse(false)
    ) match {
      case Some(conn) => {
        withConnection(conn) { conn =>
@@ -55,15 +60,35 @@ object LDAPUtil {
    }
  }

-  private def bind(host: String, port: Int, dn: String, password: String): Option[LDAPConnection] = {
-    val conn: LDAPConnection = new LDAPConnection
+  private def bind(host: String, port: Int, dn: String, password: String, tls: Boolean): Option[LDAPConnection] = {
+    if (tls) {
+      // Dynamically set Sun as the security provider
+      Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider())
+    }
+
+    val conn: LDAPConnection = new LDAPConnection(new LDAPJSSEStartTLSFactory())
    try {
+      // Connect to the server
      conn.connect(host, port)
+
+      if (tls) {
+        // Secure the connection
+        conn.startTLS()
+      }
+
+      // Bind to the server
      conn.bind(LDAP_VERSION, dn, password.getBytes)
+
      Some(conn)
    } catch {
      case e: Exception => {
-        if (conn.isConnected) conn.disconnect()
+        // Provide more information if something goes wrong
+        logger.info("" + e)
+
+        if (conn.isConnected) {
+          conn.disconnect()
+        }
+
        None
      }
    }