Skip to Content.
Sympa Menu

devel - [sympa-developpers] Fix LDAP starttls support

Subject: Developers of Sympa

List archive

[sympa-developpers] Fix LDAP starttls support

Chronological Thread  
    < Chronological >       < Thread >
  • From: Emmanuel Lacour <address@concealed>
  • To: address@concealed
  • Subject: [sympa-developpers] Fix LDAP starttls support
  • Date: Tue, 26 Apr 2016 15:04:36 +0200
Dear sympa developers,


I did not found how to open a bug report on
https://sourcesup.renater.fr/tracker/?func=browse&group_id=23&atid=167,
hence I send a mail here.

Unless I'm missing something, LDAP starttls support is incomplete in sympa.

There is a hidden use_start_tls parameter in LDAPSource.pm, but it isn't
allowed in list/auth/scenari/... configurations (List.pm, Conf.pm).

There is also a default value for capath that may be not appropriate for
all platforms and that isn't exported to allowed configuration variables.

Finally, ssl_version default value and allowed values are inconsistent
between List.pm and Conf.pm.

here is a patch that dos just "make it works for my own usage" to help
finish starttls support ;)
--- Conf.pm	2016-04-26 14:55:27.000000000 +0200
+++ Conf.pm	2016-04-26 14:18:55.623782362 +0200
@@ -1146,6 +1146,7 @@
 				     'scope' => 'base|one|sub',
 				     'authentication_info_url' => 'http(s)?:/.*',
 				     'use_ssl' => '1',
+				     'use_start_tls' => '1',
 				     'ssl_version' => 'sslv2/3|sslv2|sslv3|tlsv1',
 				     'ssl_ciphers' => '[\w:]+' },
 			  
--- LDAPSource.pm	2014-09-17 18:24:59.000000000 +0200
+++ LDAPSource.pm	2016-04-26 14:25:44.642213644 +0200
@@ -152,7 +152,7 @@
 	$tls_param{'sslversion'} = $param->{'ssl_version'} if ($param->{'ssl_version'});
 	$tls_param{'ciphers'} = $param->{'ssl_ciphers'} if ($param->{'ssl_ciphers'});
 	$tls_param{'verify'} = $param->{'ca_verify'} || "optional";
-	$tls_param{'capath'} = $param->{'ca_path'} || "/etc/ssl";
+	$tls_param{'capath'} = $param->{'ca_path'} || "/etc/ssl/certs";
 	$tls_param{'cafile'} = $param->{'ca_file'} if ($param->{'ca_file'});
 	$tls_param{'clientcert'} = $param->{'ssl_cert'} if ($param->{'ssl_cert'});
 	$tls_param{'clientkey'} = $param->{'ssl_key'} if ($param->{'ssl_key'});
--- List.pm	2014-09-17 18:24:59.000000000 +0200
+++ List.pm	2016-04-26 14:38:34.131285852 +0200
@@ -872,13 +872,18 @@
 							      'length' => 15,
 							      'order' => 1
 							      },
+							      'use_start_tls' => {'format' => ['yes','no'],
+									    'default' => 'no',
+									    'gettext_id' => 'use LDAP STARTTLS',
+									    'order' => 2.5,
+									},
 							      'use_ssl' => {'format' => ['yes','no'],
 									    'default' => 'no',
 									    'gettext_id' => 'use SSL (LDAPS)',
 									    'order' => 2.5,
 									},
 							      'ssl_version' => {'format' => ['sslv2','sslv3','tls'],
-										'default' => 'sslv3',
+										'default' => '',
 										'gettext_id' => 'SSL version',
 										'order' => 2.5,
 									    },

  • [sympa-developpers] Fix LDAP starttls support, Emmanuel Lacour, 04/26/2016

Archive powered by MHonArc 2.6.19+.

Top of Page