From c64b202aa73558ebc1d982144193b238ff648492 Mon Sep 17 00:00:00 2001
From: Jeff Davis <jdavis@sitka.bclibraries.ca>
Date: Fri, 26 Oct 2018 15:26:15 -0700
Subject: [PATCH] LP#1800240: add support LDAPS (LDAP over TLS)

Signed-off-by: Jeff Davis <jdavis@sitka.bclibraries.ca>
---
 Open-ILS/examples/opensrf.xml.example                 | 18 +++++++++++++++++-
 .../lib/OpenILS/Application/AuthProxy/LDAP_Auth.pm    | 19 +++++++++++++++++++
 2 files changed, 36 insertions(+), 1 deletion(-)

diff --git a/Open-ILS/examples/opensrf.xml.example b/Open-ILS/examples/opensrf.xml.example
index 156562b82b..4a24dcf2dd 100644
--- a/Open-ILS/examples/opensrf.xml.example
+++ b/Open-ILS/examples/opensrf.xml.example
@@ -535,7 +535,18 @@ vim:et:ts=4:sw=4:
                     <!-- 'enabled' is the master switch; set to 'true' to enable proxied logins -->
                     <enabled>false</enabled>
                     <authenticators>
-                        <!-- the following is a sample configuration for the LDAP_Auth module; please adjust as needed -->
+                        <!--
+                        The following is a sample configuration for the
+                        LDAP_Auth module; please adjust as needed.
+
+                        For LDAPS, configure the start_tls block as follows
+                        (note that the server must support LDAPv3 with the
+                        LDAP_EXTENSION_START_TLS extension):
+                          - enabled: true or false
+                          - verify: none, optional, or require (default: require)
+                          - cafile: path to PEM cert of CA who signed the server's cert
+                        See the Perl Net::LDAP documentation for details.
+                        -->
                         <!--
                         <authenticator>
                             <name>ldap</name>
@@ -554,6 +565,11 @@ vim:et:ts=4:sw=4:
                                 <unit>103</unit>
                                 <unit>104</unit>
                             </org_units>
+                            <start_tls>
+                                <enabled>false</enabled>
+                                <verify>require</verify>
+                                <cafile>/etc/ssl/certs/cacert.pem</cafile>
+                            </start_tls>
                         </authenticator>
                         -->
                         <!-- 'native' is a proxied version of Evergreen's standard authentication -->
diff --git a/Open-ILS/src/perlmods/lib/OpenILS/Application/AuthProxy/LDAP_Auth.pm b/Open-ILS/src/perlmods/lib/OpenILS/Application/AuthProxy/LDAP_Auth.pm
index a180e3a477..3d0b435c9a 100644
--- a/Open-ILS/src/perlmods/lib/OpenILS/Application/AuthProxy/LDAP_Auth.pm
+++ b/Open-ILS/src/perlmods/lib/OpenILS/Application/AuthProxy/LDAP_Auth.pm
@@ -25,6 +25,7 @@ sub authenticate {
     }
 
     my $hostname_is_ldap = 0;
+    my $handled_tls      = 0;
     my $reached_ldap     = 0;
     my $user_in_ldap     = 0;
     my $login_succeeded  = 0;
@@ -38,6 +39,21 @@ sub authenticate {
     my $ldap;
     if ( $ldap = Net::LDAP->new($hostname) ) {
         $hostname_is_ldap = 1;
+
+        # check for LDAPS config; if enabled, establish secure connection
+        my $tls = $self->{'start_tls'};
+        if (ref $tls and $tls->{'enabled'} eq 'true') {
+            if ( $ldap->start_tls(
+                    verify => $tls->{'verify'},
+                    cafile => $tls->{'cafile'}) ) {
+                $handled_tls = 1;
+            }
+        } else {
+            # When TLS is not enabled, we handle it successfully
+            # by not attempting to use it.
+            $handled_tls = 1;
+        }
+
         if ( $ldap->bind( $authid, password => $authid_pass )->code == 0 ) {
             $reached_ldap = 1;
             # verify username and lookup user's DN
@@ -62,6 +78,9 @@ sub authenticate {
         # TODO: custom failure events?
         $logger->debug("User login failed: Incorrect LDAP hostname");
         return OpenILS::Event->new( 'LOGIN_FAILED' );
+    } elsif ( !$handled_tls ) {
+        $logger->debug("User login failed: Could not establish TLS connection to LDAP server");
+        return OpenILS::Event->new( 'LOGIN_FAILED' );
     } elsif ( !$reached_ldap ) {
         $logger->debug("User login failed: The LDAP server is misconfigured or unavailable");
         return OpenILS::Event->new( 'LOGIN_FAILED' );
-- 
2.11.0