From 6ad43a10b97007d94ae6e8d1c02786f04a801ea3 Mon Sep 17 00:00:00 2001
From: Dominik Csapak <d.csapak@proxmox.com>
Date: Wed, 13 Mar 2019 15:17:07 +0100
Subject: [PATCH] fix #1946: add verify and cafile options for ldap

so that users can force the verification, either with the system
installed certificates or with a single explicit file

this also fixes #1944, since the option was 'scheme' not 'schema'

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
---
 PMG/LDAPCache.pm  | 14 +++++++++++++-
 PMG/LDAPConfig.pm | 13 +++++++++++++
 2 files changed, 26 insertions(+), 1 deletion(-)

diff --git a/PMG/LDAPCache.pm b/PMG/LDAPCache.pm
index 0d36019..ca4aec9 100755
--- a/PMG/LDAPCache.pm
+++ b/PMG/LDAPCache.pm
@@ -75,6 +75,8 @@ sub new {
     $self->{port} = $args{port};
     $self->{groupbasedn} = $args{groupbasedn};
     $self->{filter} = $args{filter};
+    $self->{verify} = $args{verify};
+    $self->{cafile} = $args{cafile};
 
     if ($args{syncmode} == 1) {
 	# read local data only
@@ -349,7 +351,17 @@ sub ldap_connect {
     my $opts = { timeout => 10, onerror => 'die' };
 
     $opts->{port} = $self->{port} if $self->{port};
-    $opts->{schema} = $self->{mode};
+    if ($self->{mode} eq 'ldaps') {
+	$opts->{scheme} = 'ldaps';
+	$opts->{verify} = 'require' if $self->{verify};
+	if ($self->{cafile}) {
+	    $opts->{cafile} = $self->{cafile};
+	} else {
+	    $opts->{capath} = '/etc/ssl/certs/';
+	}
+    } else {
+	$opts->{scheme} = 'ldap';
+    }
 
     return Net::LDAP->new($hosts, %$opts);
 }
diff --git a/PMG/LDAPConfig.pm b/PMG/LDAPConfig.pm
index 9445205..022749c 100644
--- a/PMG/LDAPConfig.pm
+++ b/PMG/LDAPConfig.pm
@@ -58,6 +58,17 @@ sub properties {
 	    enum => ['ldap', 'ldaps'],
 	    default => 'ldap',
 	},
+	verify => {
+	    description => "Verify server certificate. Only useful with ldaps.",
+	    type => 'boolean',
+	    default => 0,
+	    optional => 1,
+	},
+	cafile => {
+	    description => "Path to CA file. Only useful with option 'verify'",
+	    type => 'string',
+	    optional => 1,
+	},
 	server1 => {
 	    description => "Server address.",
 	    type => 'string', format => 'address',
@@ -128,6 +139,8 @@ sub options {
 	accountattr => { optional => 1 },
 	mailattr => { optional => 1 },
 	groupclass => { optional => 1 },
+	verify => { optional => 1 },
+	cafile => { optional => 1 },
     };
 }
 
-- 
2.39.2