[pve-devel] [PATCH pve-access-control] ldap auth: add sslversion option
Alexandre Derumier
aderumier at odiso.com
Mon Nov 4 10:18:05 CET 2019
default to tls1.2
Signed-off-by: Alexandre Derumier <aderumier at odiso.com>
---
PVE/Auth/AD.pm | 11 +++++++++++
PVE/Auth/LDAP.pm | 5 +++++
2 files changed, 16 insertions(+)
diff --git a/PVE/Auth/AD.pm b/PVE/Auth/AD.pm
index b924b02..a877a76 100755
--- a/PVE/Auth/AD.pm
+++ b/PVE/Auth/AD.pm
@@ -33,6 +33,12 @@ sub properties {
optional => 1,
},
+ sslversion => {
+ description => "LDAPS ssl version.",
+ type => 'string',
+ enum => [qw(tlsv1 tlsv1_1 tlsv1_2)],
+ optional => 1,
+ },
default => {
description => "Use this as default realm",
type => 'boolean',
@@ -69,6 +75,7 @@ sub options {
domain => {},
port => { optional => 1 },
secure => { optional => 1 },
+ sslversion => { optional => 1 },
default => { optional => 1 },,
comment => { optional => 1 },
tfa => { optional => 1 },
@@ -108,6 +115,10 @@ my $authenticate_user_ad = sub {
$ad_args{verify} = 'none';
}
+ if ($config->{secure}) {
+ $ad_args{sslversion} = $config->{sslversion} ? $config->{sslversion} : 'tlsv1_2';
+ }
+
my $ldap = Net::LDAP->new($conn_string, %ad_args) || die "$@\n";
$username = "$username\@$config->{domain}"
diff --git a/PVE/Auth/LDAP.pm b/PVE/Auth/LDAP.pm
index 9f08504..d6c26eb 100755
--- a/PVE/Auth/LDAP.pm
+++ b/PVE/Auth/LDAP.pm
@@ -70,6 +70,7 @@ sub options {
user_attr => {},
port => { optional => 1 },
secure => { optional => 1 },
+ sslversion => { optional => 1 },
default => { optional => 1 },
comment => { optional => 1 },
tfa => { optional => 1 },
@@ -109,6 +110,10 @@ my $authenticate_user_ldap = sub {
$ldap_args{verify} = 'none';
}
+ if ($config->{secure}) {
+ $ldap_args{sslversion} = $config->{sslversion} ? $config->{sslversion} : 'tlsv1_2';
+ }
+
my $ldap = Net::LDAP->new($conn_string, %ldap_args) || die "$@\n";
if (my $bind_dn = $config->{bind_dn}) {
--
2.20.1
More information about the pve-devel
mailing list