Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for TLS and connectionless LDAP connections on Linux #52904

Merged
merged 4 commits into from
Jun 3, 2021
Merged
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Add test configuration for LDAP TLS server
iinuwa committed Jun 1, 2021
commit 7b62eb0c4334d79a0b49d91cbc432fc93bffac1c
Original file line number Diff line number Diff line change
@@ -28,6 +28,34 @@ and to test and view status

docker exec -it slapd01 slapcat

SLAPD OPENLDAP SERVER WITH TLS
==============================

The osixia/openldap container image automatically creates a TLS lisener with a self-signed certificate. This can be used to test TLS.

Start the container, with TLS on port 1636, without client certificate verification:

docker run --publish 1389:389 --publish 1636:636 --name ldap --hostname ldap.local --detach --rm --env LDAP_TLS_VERIFY_CLIENT=never --env LDAP_ADMIN_PASSWORD=password osixia/openldap --loglevel debug

Extract the CA certificate and write to a temporary file:

docker exec ldap cat /container/service/slapd/assets/certs/ca.crt > /tmp/ca.crt

Set the LDAP client CA certificate path in `/etc/ldap/ldap.conf` so OpenLDAP trusts the self-signed certificate:

# /etc/ldap/ldap.conf
#...
TLS_CACERT /tmp/ca.crt

Finally, map the `ldap.local` hostname manually set above to the loopback address:

# /etc/hosts
127.0.0.1 ldap.local

To test and view the status:

ldapsearch -H ldaps://ldap.local:1636 -b dc=example,dc=org -x -D cn=admin,dc=example,dc=org -w password

ACTIVE DIRECTORY
================

@@ -83,5 +111,14 @@ Note:
<Password>%TESTPASSWORD%</Password>
<AuthenticationTypes>ServerBind,None</AuthenticationTypes>
</Connection>
<Connection Name="SLAPD OPENLDAP SERVER TLS">
iinuwa marked this conversation as resolved.
Show resolved Hide resolved
<ServerName>ldap.local</ServerName>
<SearchDN>DC=example,DC=org</SearchDN>
<Port>1636</Port>
<User>cn=admin,dc=example,dc=org</User>
<Password>password</Password>
<AuthenticationTypes>ServerBind,None</AuthenticationTypes>
<UseTls>true</UseTls>
</Connection>

</Configuration>
Original file line number Diff line number Diff line change
@@ -10,14 +10,15 @@ namespace System.DirectoryServices.Tests
{
internal class LdapConfiguration
{
private LdapConfiguration(string serverName, string searchDn, string userName, string password, string port, AuthenticationTypes at)
private LdapConfiguration(string serverName, string searchDn, string userName, string password, string port, AuthenticationTypes at, bool useTls)
{
ServerName = serverName;
SearchDn = searchDn;
UserName = userName;
Password = password;
Port = port;
AuthenticationTypes = at;
UseTls = useTls;
}

private static LdapConfiguration s_ldapConfiguration = GetConfiguration("LDAP.Configuration.xml");
@@ -30,6 +31,7 @@ private LdapConfiguration(string serverName, string searchDn, string userName, s
internal string Port { get; set; }
internal string SearchDn { get; set; }
internal AuthenticationTypes AuthenticationTypes { get; set; }
internal bool UseTls { get; set; }
internal string LdapPath => string.IsNullOrEmpty(Port) ? $"LDAP://{ServerName}/{SearchDn}" : $"LDAP://{ServerName}:{Port}/{SearchDn}";
internal string RootDSEPath => string.IsNullOrEmpty(Port) ? $"LDAP://{ServerName}/rootDSE" : $"LDAP://{ServerName}:{Port}/rootDSE";
internal string UserNameWithNoDomain
@@ -104,6 +106,7 @@ internal static LdapConfiguration GetConfiguration(string configFile)
string user = "";
string password = "";
AuthenticationTypes at = AuthenticationTypes.None;
bool useTls = false;

XElement child = connection.Element("ServerName");
if (child != null)
@@ -132,6 +135,12 @@ internal static LdapConfiguration GetConfiguration(string configFile)
password = val;
}

child = connection.Element("UseTls");
if (child != null)
{
useTls = bool.Parse(child.Value);
}

child = connection.Element("AuthenticationTypes");
if (child != null)
{
@@ -161,7 +170,7 @@ internal static LdapConfiguration GetConfiguration(string configFile)
at |= AuthenticationTypes.Signing;
}

ldapConfig = new LdapConfiguration(serverName, searchDn, user, password, port, at);
ldapConfig = new LdapConfiguration(serverName, searchDn, user, password, port, at, useTls);
}
}
catch (Exception ex)
Original file line number Diff line number Diff line change
@@ -630,6 +630,7 @@ private LdapConnection GetConnection()
// Set server protocol before bind; OpenLDAP servers default
// to LDAP v2, which we do not support, and will return LDAP_PROTOCOL_ERROR
connection.SessionOptions.ProtocolVersion = 3;
connection.SessionOptions.SecureSocketLayer = LdapConfiguration.Configuration.UseTls;
danmoseley marked this conversation as resolved.
Show resolved Hide resolved
connection.Bind();

connection.Timeout = new TimeSpan(0, 3, 0);