(DIO-2621) Make LDAP encryption configurable

Prior to this, the encryption settings for LDAP auth were hard coded to start_tls on port 389 with TLSv1. These are still the defaults, as insecure as they are, so as to not break existing users. This change facilitates replacing the defaults so that simple_tls over port 636 via TLS1.2 can be used.
2026-01-26 10:08:40 -05:00 · 2021-09-14 15:01:05 -04:00 · 2021-09-14 15:01:05 -04:00 · 5cd7658ab4
commit 5cd7658ab4
parent 5f0d41412c
4 changed files with 123 additions and 65 deletions
--- a/lib/vmpooler/api/helpers.rb
+++ b/lib/vmpooler/api/helpers.rb
@ -56,14 +56,11 @@ module Vmpooler
        return false
      end

-      def authenticate_ldap(port, host, user_object, base, username_str, password_str)
+      def authenticate_ldap(port, host, encryption_hash, user_object, base, username_str, password_str)
        ldap = Net::LDAP.new(
          :host => host,
          :port => port,
-          :encryption => {
-            :method => :start_tls,
-            :tls_options => { :ssl_version => 'TLSv1' }
-          },
+          :encryption => encryption_hash,
          :base => base,
          :auth => {
            :method => :simple,
@ -86,6 +83,10 @@ module Vmpooler
          ldap_port = auth[:ldap]['port'] || 389
          ldap_user_obj = auth[:ldap]['user_object']
          ldap_host = auth[:ldap]['host']
+          ldap_encryption_hash = auth[:ldap]['encryption'] || {
+            :method => :start_tls,
+            :tls_options => { :ssl_version => 'TLSv1' }
+          }

          unless ldap_base.is_a? Array
            ldap_base = ldap_base.split
@ -100,6 +101,7 @@ module Vmpooler
              result = authenticate_ldap(
                ldap_port,
                ldap_host,
+                ldap_encryption_hash,
                search_user_obj,
                search_base,
                username_str,