Developers of Sympa

[Olivier Salaun - CRU <address@concealed>]

Hi John,

It makes sense to us, and we've added this feature to CVS, based on your 
suggestions.
The main difference with what you suggested is that we didn't add the 
wwsympa.conf parameter.
Instead we have added a 'use_ldap' auth.conf parameter (for those who want to 
use LDAPS
without defining SSL version and ciphers, ie using Net::LDAPS defaults).

Attached is the patch that also does some syntaxical checks in auth.conf.

We'd appreciate some feadback from sympa-dev members who could validate this
patch.

Thanks.

John Douglass wrote:
>  [...] here are my suggestions for the authentication changes to support SSL.
>
> I'm working on possible modifications on the other LDAP related files 
> (List.pm and Ldap.pm) but that will take a little longer.
>
> Hopefully this makes sense to the authors: >
> Two things for the config:
>
> 1) If ANY auth.conf ldap servers use SSL, define (in wwsympa.conf)
> secure_ldap_auth = 1
>
> 2) Within the auth.conf file, if a server uses SSL, define the fields
> ssl_version = sslv3
> ssl_ciphers = MEDIUM:HIGH


--
Olivier Salaun
Comite Reseau des Universites
? wwsympa/wws_templates/us/viewlogs.us.tpl
? src/aliaswrapper
? src/bouncequeue
? src/queue
? src/virtualwrapper
Index: wwsympa/wwsympa.fcgi
===================================================================
RCS file: /home/sympa/cvsroot/sympa/wwsympa/wwsympa.fcgi,v
retrieving revision 1.312
diff -c -r1.312 wwsympa.fcgi
*** wwsympa/wwsympa.fcgi        2 Dec 2002 09:42:43 -0000       1.312
--- wwsympa/wwsympa.fcgi        6 Dec 2002 09:16:31 -0000
***************
*** 1415,1422 ****
            $filter =~ s/\[sender\]/$auth/ig;
  
            ##anonymous bind in order to have the user's DN
!           $ldap_anonymous = Net::LDAP->new($host,timeout => 
$ldap->{'timeout'});
!         
            unless ($ldap_anonymous ){
                do_log ('err','Unable to connect to the LDAP server 
%s',$host);
                next;
--- 1415,1437 ----
            $filter =~ s/\[sender\]/$auth/ig;
  
            ##anonymous bind in order to have the user's DN
!           my $ldap_anonymous;
!           if ($ldap->{'use_ssl'}) {
!               unless (require Net::LDAPS) {
!                   do_log ('err',"Unable to use LDAPS library, Net::LDAPS 
required");
!                   return undef;
!               } 
!               
!               my %param;
!               $param{'timeout'} = $ldap->{'timeout'} if 
($ldap->{'timeout'});
!               $param{'sslversion'} = $ldap->{'ssl_version'} if 
($ldap->{'ssl_version'});
!               $param{'ciphers'} = $ldap->{'ssl_ciphers'} if 
($ldap->{'ssl_ciphers'});
!               
!               $ldap_anonymous = Net::LDAPS->new($host,%param);
!           }else {
!               $ldap_anonymous = Net::LDAP->new($host,timeout => 
$ldap->{'timeout'});
!           }
! 
            unless ($ldap_anonymous ){
                do_log ('err','Unable to connect to the LDAP server 
%s',$host);
                next;
***************
*** 1453,1459 ****
            $ldap_anonymous->unbind;
  
            ##  bind with the DN and the pwd
!           $ldap_passwd = Net::LDAP->new($host);
  
            unless ($ldap_passwd) {
                do_log('err','Unable to (re) connect to the LDAP server %s', 
$host);
--- 1468,1489 ----
            $ldap_anonymous->unbind;
  
            ##  bind with the DN and the pwd
!           my $ldap_passwd;
!           if ($ldap->{'use_ssl'}) {
!               unless (require Net::LDAPS) {
!                   do_log ('err',"Unable to use LDAPS library, Net::LDAPS 
required");
!                   return undef;
!               } 
!               
!               my %param;
!               $param{'timeout'} = $ldap->{'timeout'} if 
($ldap->{'timeout'});
!               $param{'sslversion'} = $ldap->{'ssl_version'} if 
($ldap->{'ssl_version'});
!               $param{'ciphers'} = $ldap->{'ssl_ciphers'} if 
($ldap->{'ssl_ciphers'});
!               
!               $ldap_passwd = Net::LDAPS->new($host,%param);
!           }else {
!               $ldap_passwd = Net::LDAP->new($host,timeout => 
$ldap->{'timeout'});
!           }
  
            unless ($ldap_passwd) {
                do_log('err','Unable to (re) connect to the LDAP server %s', 
$host);
***************
*** 1650,1656 ****
  
            ## !! une fonction get_dn_by_email/uid
            
!           $ldap_anonymous = Net::LDAP->new($host,timeout => 
$ldap->{'timeout'} );
            
            unless ($ldap_anonymous ){
                do_log ('err','Unable to connect to the LDAP server 
%s',$host);
--- 1680,1702 ----
  
            ## !! une fonction get_dn_by_email/uid
            
!           my $ldap_anonymous;
!           if ($ldap->{'use_ssl'}) {
!               unless (require Net::LDAPS) {
!                   do_log ('err',"Unable to use LDAPS library, Net::LDAPS 
required");
!                   return undef;
!               } 
!               
!               my %param;
!               $param{'timeout'} = $ldap->{'timeout'} if 
($ldap->{'timeout'});
!               $param{'sslversion'} = $ldap->{'ssl_version'} if 
($ldap->{'ssl_version'});
!               $param{'ciphers'} = $ldap->{'ssl_ciphers'} if 
($ldap->{'ssl_ciphers'});
!               
!               $ldap_anonymous = Net::LDAPS->new($host,%param);
!           }else {
!               $ldap_anonymous = Net::LDAP->new($host,timeout => 
$ldap->{'timeout'});
!           }
! 
            
            unless ($ldap_anonymous ){
                do_log ('err','Unable to connect to the LDAP server 
%s',$host);
Index: src/Conf.pm
===================================================================
RCS file: /home/sympa/cvsroot/sympa/src/Conf.pm,v
retrieving revision 1.66
diff -c -r1.66 Conf.pm
*** src/Conf.pm 3 Dec 2002 08:24:37 -0000       1.66
--- src/Conf.pm 6 Dec 2002 09:16:31 -0000
***************
*** 480,488 ****
      my @paragraphs;
      my $current_paragraph = {};
  
      ## Open the configuration file or return and read the lines.
      unless (open(IN, $config)) {
!       do_log('notice',"load: Unable to open %s: %s\n", $config, $!);
        return undef;
      }
      
--- 480,504 ----
      my @paragraphs;
      my $current_paragraph = {};
  
+     my %valid_keywords = ('host' => '[\w\.\-]+(:\d+)?(,[\w\.\-]+(:\d+)?)*',
+                         'timeout' => '\d+',
+                         'suffix' => '.+',
+                         'bind_dn' => '.+',
+                         'bind_password' => '.+',
+                         'get_dn_by_uid_filter' => '.+',
+                         'get_dn_by_email_filter' => '.+',
+                         'email_attribute' => '\w+',
+                         'alternative_email_attribute' => '(\w+)(,\w+)*',
+                         'scope' => 'base|one|sub',
+                         'authentication_info_url' => 'http(s)?:/.*',
+                         'use_ssl' => '1',
+                         'ssl_version' => 'sslv2/3|sslv2|sslv3|tlsv1',
+                         'ssl_ciphers' => '[\w:]+');
+                         
+ 
      ## Open the configuration file or return and read the lines.
      unless (open(IN, $config)) {
!       do_log('notice',"_load_auth: Unable to open %s: %s\n", $config, $!);
        return undef;
      }
      
***************
*** 497,502 ****
--- 513,528 ----
        if (/^\s*(\S+)\s+(.*\S)\s*$/o){
            
            my ($keyword,$value) = ($1,$2);
+ 
+           unless (defined $valid_keywords{$keyword}) {
+               do_log('notice',"_load_auth: unknown keyword '%s' in %s", 
$keyword, $config);
+               next;
+           }
+           unless ($value =~ /^$valid_keywords{$keyword}$/) {
+               do_log('notice',"_load_auth: unknown format '%s' for keyword 
'%s' in %s", $value, $keyword, $config);
+               next;
+           }
+ 
            $current_paragraph->{$keyword} = $value;
        }