fix #1947: implement starttls for ldap

adds a new mode 'ldap+starttls' that enables the start_tls after
connection

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>

diff --git a/PMG/LDAPCache.pm b/PMG/LDAPCache.pm
index ca4aec98022304842545d3980d3687208a6bc03c..567b5ea75b9ba3575836a8a9b54a7467952a3141 100755 (executable)
--- a/PMG/LDAPCache.pm
+++ b/PMG/LDAPCache.pm
@@ -374,6 +374,20 @@ sub ldap_connect_and_bind {
 
      my $mesg;
 
+     if ($self->{mode} eq 'ldap+starttls') {
+        my $opts = {
+            verify => $self->{verify} ? 'require' : 'none',
+        };
+
+        if ($self->{cafile}) {
+            $opts->{cafile} = $self->{cafile};
+        } else {
+            $opts->{capath} = '/etc/ssl/certs/';
+        }
+
+        $ldap->start_tls(%$opts);
+     }
+
      if ($self->{binddn}) {
         $mesg = $ldap->bind($self->{binddn}, password => $self->{bindpw});
      } else {

diff --git a/PMG/LDAPConfig.pm b/PMG/LDAPConfig.pm
index 022749cad142fda2f2688a4eb18024492556a5a7..9e4fd9e7e4a90083843f384644604eb0b8098fdf 100644 (file)
--- a/PMG/LDAPConfig.pm
+++ b/PMG/LDAPConfig.pm
@@ -53,13 +53,13 @@ sub properties {
            maxLength => 4096,
        },
        mode => {
-           description => "LDAP protocol mode ('ldap' or 'ldaps').",
+           description => "LDAP protocol mode ('ldap', 'ldaps' or 'ldap+starttls').",
            type => 'string',
-           enum => ['ldap', 'ldaps'],
+           enum => ['ldap', 'ldaps', 'ldap+starttls'],
            default => 'ldap',
        },
        verify => {
-           description => "Verify server certificate. Only useful with ldaps.",
+           description => "Verify server certificate. Only useful with ldaps or ldap+starttls.",
            type => 'boolean',
            default => 0,
            optional => 1,