activeldap 5.2.1 → 5.2.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 952ff57b69e61432c8d7558c5d7174c1b1624887d334af0dce219f81c3c96994
-  data.tar.gz: ea21da7bf86e6a8f0a71e95177cb8d2edaf6f7900700a2416c2d2c89438531e3
+  metadata.gz: 6d6b5227689af0fea86d9e29d3fc76165038dafb71ff7962780647b83f5d973c
+  data.tar.gz: 3a645873ff56846dab7e85adc7cc1a99b4e904b72f2e28fb61297e4a5e70add2
 SHA512:
-  metadata.gz: 3b52b40daf56db823378e77216af2a6673c35dd8f9d5167d01cbe1a94112aec66bb41af3367992b9f03ca48480d3e58a9a64de3d3380d4ce198937834bf78b4b
-  data.tar.gz: 4437b9bdb39f9258e50e0b5527e58b82b5241b49223df5c296e046b6841028a05076bbfa6c7033f83eb42234f58106a08e06d0491d8146a934a95c5a72fbe349
+  metadata.gz: 2eeacfd5b6f4d6e109299b1a59efd19a154845b11d192611575e95ce7c9585c68b366bf2844cb800474377b0efe83e4a5c9fac6a4b7c366c9222537300d88eb9
+  data.tar.gz: 7aaf91753784bd19d10ef86e8b720785c96b0ba8e5b7c072cb0e6f88a31d4f458525dc23d610d7ab679d1389e5db87d1cfc9f189f2cf48d7cb2ebdb1faab3974

data/doc/text/news.textile

@@ -1,5 +1,16 @@
 h1. News
 
+h2(#release-5-2-2). 5.2.2: 2018-07-12
+
+h3. Improvements
+
+* Added @:tls_options@ option.
+  [GitHub#156][Patch by David Klotz]
+
+h3. Thanks
+
+* David Klotz
+
 h2(#release-5-2-1). 5.2.1: 2018-06-13
 
 h3. Fixes

data/lib/active_ldap/adapter/base.rb

@@ -14,6 +14,7 @@ module ActiveLdap
         :host,
         :port,
         :method,
+        :tls_options,
         :timeout,
         :retry_on_timeout,
         :retry_limit,

data/lib/active_ldap/adapter/ldap.rb

@@ -24,7 +24,7 @@ module ActiveLdap
         end
 
         class SSL < Base
-          def connect(host, port)
+          def connect(host, port, options={})
             LDAP::SSLConn.new(host, port, false)
           end
 
@@ -34,8 +34,35 @@ module ActiveLdap
         end
 
         class TLS < Base
-          def connect(host, port)
-            LDAP::SSLConn.new(host, port, true)
+          def connect(host, port, options={})
+            connection = LDAP::Conn.new(host, port)
+            if connection.get_option(LDAP::LDAP_OPT_PROTOCOL_VERSION) < 3
+              connection.set_option(LDAP::LDAP_OPT_PROTOCOL_VERSION, 3)
+            end
+            tls_options = options[:tls_options]
+            if tls_options and LDAP.const_defined?(:LDAP_OPT_X_TLS_NEWCTX)
+              tls_options.each do |key, value|
+                case key
+                when :verify_mode
+                  case value
+                  when :none, OpenSSL::SSL::SSL_VERIFY_NONE
+                    connection.set_option(LDAP::LDAP_OPT_X_TLS_REQUIRE_CERT,
+                                          LDAP::LDAP_OPT_X_TLS_NEVER)
+                  when :peer, OpenSSL::SSL::SSL_VERIFY_PEER
+                    connection.set_option(LDAP::LDAP_OPT_X_TLS_REQUIRE_CERT,
+                                          LDAP::LDAP_OPT_X_TLS_DEMAND)
+                  end
+                when :verify_hostname
+                  unless value
+                    connection.set_option(LDAP::LDAP_OPT_X_TLS_REQUIRE_CERT,
+                                          LDAP::LDAP_OPT_X_TLS_ALLOW)
+                  end
+                end
+              end
+              connection.set_option(LDAP::LDAP_OPT_X_TLS_NEWCTX, 0)
+            end
+            connection.start_tls
+            connection
           end
 
           def start_tls?
@@ -44,7 +71,7 @@ module ActiveLdap
         end
 
         class Plain < Base
-          def connect(host, port)
+          def connect(host, port, options={})
             LDAP::Conn.new(host, port)
           end
         end
@@ -54,9 +81,13 @@ module ActiveLdap
         super do |host, port, method|
           uri = construct_uri(host, port, method.ssl?)
           with_start_tls = method.start_tls?
-          info = {:uri => uri, :with_start_tls => with_start_tls}
+          info = {
+            :uri => uri,
+            :with_start_tls => with_start_tls,
+            :tls_options => @tls_options,
+          }
           connection = log("connect", info) do
-            method.connect(host, port)
+            method.connect(host, port, :tls_options => @tls_options)
           end
           [connection, uri, with_start_tls]
         end

data/lib/active_ldap/adapter/net_ldap.rb

@@ -26,7 +26,10 @@ module ActiveLdap
             :host => host,
             :port => port,
           }
-          config[:encryption] = {:method => method} if method
+          if method
+            config[:encryption] = { :method => method }
+            config[:encryption][:tls_options] = @tls_options if @tls_options
+          end
           begin
             uri = construct_uri(host, port, method == :simple_tls)
             with_start_tls = method == :start_tls

data/lib/active_ldap/configuration.rb

@@ -27,6 +27,7 @@ module ActiveLdap
     DEFAULT_CONFIG[:host] = '127.0.0.1'
     DEFAULT_CONFIG[:port] = nil
     DEFAULT_CONFIG[:method] = :plain  # :ssl, :tls, :plain allowed
+    DEFAULT_CONFIG[:tls_options] = nil
 
     DEFAULT_CONFIG[:bind_dn] = nil
     DEFAULT_CONFIG[:password_block] = nil

data/lib/active_ldap/version.rb

@@ -1,3 +1,3 @@
 module ActiveLdap
-  VERSION = "5.2.1"
+  VERSION = "5.2.2"
 end

data/test/add-phonetic-attribute-options-to-slapd.ldif

@@ -1,5 +1,5 @@
-# Your LDAP server need to accept 'phonetic' attribute option for test.
-# This is a LDIF file for OpenLDAP to do the confiugration.
+# Your LDAP server needs to accept 'phonetic' attribute option for test.
+# This is a LDIF file for OpenLDAP to do the configuration.
 # You can use this file by the following command linne on Debian GNU/Linux
 # or Ubuntu:
 #   % sudo -H ldapmodify -Y EXTERNAL -H ldapi:/// -f test/add-phonetic-attribute-options-to-slapd.ldif

data/test/enable-start-tls.ldif

@@ -0,0 +1,27 @@
+# Your LDAP server needs to support StartTLS when you test StartTLS related
+# feature. This is a LDIF file for OpenLDAP to do the configuration.
+# You can use this file by the following command linne on Debian GNU/Linux
+# or Ubuntu:
+#
+#   % sudo usermod -a -G ssl-cert openldap
+#   % sudo systemctl restart slapd
+#   % sudo -H ldapmodify -Y EXTERNAL -H ldapi:/// -f test/enable-start-tls.ldif
+#
+# Adding the openldap user to the ssl-cert group is required to read
+# certification related files.
+version: 1
+dn: cn=config
+delete: olcTLSCACertificateFile
+-
+add: olcTLSCACertificateFile
+olcTLSCACertificateFile: /etc/ssl/certs/ca-certificates.crt
+-
+delete: olcTLSCertificateKeyFile
+-
+add: olcTLSCertificateKeyFile
+olcTLSCertificateKeyFile: /etc/ssl/private/ssl-cert-snakeoil.key
+-
+delete: olcTLSCertificateFile
+-
+add: olcTLSCertificateFile
+olcTLSCertificateFile: /etc/ssl/certs/ssl-cert-snakeoil.pem

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: activeldap
 version: !ruby/object:Gem::Version
-  version: 5.2.1
+  version: 5.2.2
 platform: ruby
 authors:
 - Will Drewry
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-06-13 00:00:00.000000000 Z
+date: 2018-07-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activemodel
@@ -294,6 +294,7 @@ files:
 - test/al-test-utils.rb
 - test/command.rb
 - test/config.yaml.sample
+- test/enable-start-tls.ldif
 - test/fixtures/lower_case_object_class_schema.rb
 - test/run-test.rb
 - test/test_acts_as_tree.rb
@@ -368,6 +369,7 @@ test_files:
 - test/al-test-utils.rb
 - test/command.rb
 - test/config.yaml.sample
+- test/enable-start-tls.ldif
 - test/fixtures/lower_case_object_class_schema.rb
 - test/run-test.rb
 - test/test_acts_as_tree.rb