Add options to support ssl key verification when connecting with TLS.
authorMahlon E. Smith <mahlon@martini.nu>
Mon, 17 May 2010 08:18:39 -0700
changeset 3 0f815f3daaf7
parent 2 35fec0d1acb8
child 4 5a65bc849363
Add options to support ssl key verification when connecting with TLS. Many thanks to Josef Wells <Josefwells@alumni.utexas.net>! Small whitespace cleanup. Display correct configuration file in error message, if a YAML parse error occurred.
shelldap
--- a/shelldap	Fri Jul 24 14:27:09 2009 +0000
+++ b/shelldap	Mon May 17 08:18:39 2010 -0700
@@ -39,7 +39,7 @@
 
 =head1 SYNPOSIS
 
- shelldap --server example.net --basedn dc=your,o=company [--tls] [--binddn ...] [--help]
+ shelldap --server example.net [--help]
 
 =head1 FEATURES
 
@@ -74,6 +74,9 @@
     bindpass: xxxxxxxxx
     basedn: dc=your,o=company
     tls: yes
+    tls_cacert: /etc/ssl/certs/cacert.pem
+    tls_cert:   ~/.ssl/client.cert.pem 
+    tls_key:    ~/.ssl/private/client.key.pem
 
 =over 4
 
@@ -115,6 +118,25 @@
 Enables TLS over what would normally be an insecure connection.
 Requires server side support.
 
+=item B<tls_cacert>
+
+Specify CA Certificate to trust.
+
+    --tls_cacert /etc/ssl/certs/cacert.pem
+
+=item B<tls_cert>
+
+The TLS client certificate.
+
+    --tls_cert ~/.ssl/client.cert.pem
+
+=item B<tls_key>
+
+The TLS client key.  Not specifying a key will connect via TLS without
+key verification.
+
+    --tls_key ~/.ssl/private/client.key.pem
+
 =back
 
 =over 4
@@ -434,7 +456,28 @@
 	# make connection
 	my $ldap = Net::LDAP->new( $conf->{'server'} )
 		or die "Unable to connect to LDAP server '$conf->{'server'}': $!\n";
-	$ldap->start_tls( verify => 'none' ) if $conf->{'tls'};
+
+	# secure connection options
+	if ( $conf->{'tls'} ) {
+		if ( $conf->{'tls_key'} ) {
+			$ldap->start_tls( 
+				verify     => 'require',
+				cafile     => $conf->{'tls_cacert'},
+				clientcert => $conf->{'tls_cert'},
+				clientkey  => $conf->{'tls_key'},
+				keydecrypt => sub {
+					print "Key Passphrase: "; 
+					Term::ReadKey::ReadMode 2;
+					chomp(my $secret = <STDIN>);
+					Term::ReadKey::ReadMode 0;
+					print "\n";
+					return $secret;
+				});
+		}
+		else {
+			$ldap->start_tls( verify => 'none' );
+		}
+	}
 
 	# bind
 	my $rv;
@@ -794,9 +837,9 @@
 		edit   => 'vi',
 		delete => 'rm',
 		copy   => 'cp',
-		cat	=> 'read',
+		cat    => 'read',
 		move   => 'mv',
-		cd	 => undef,
+		cd     => undef,
 		passwd => undef
 	);
 
@@ -804,7 +847,7 @@
 	foreach ( %cmd_map ) {
 		next unless $_;
 		my $sub = "comp_$_";
-		*$sub = \&autocomplete_cwd;
+		*$sub   = \&autocomplete_cwd;
 	}
 	*comp_touch  = \&comp_create;
 	*comp_export = \&comp_setenv;
@@ -1486,7 +1529,7 @@
 
 	my $rv = $self->ldap()->moddn(
 		$s_dn,
-		newrdn	   => $d_dn,
+		newrdn	     => $d_dn,
 		deleteoldrdn => 1,
 		newsuperior  => $new_dn
 	);
@@ -1614,6 +1657,9 @@
 	'basedn=s',
 	'cacheage=i',
 	'timeout=i',
+	'tls_cacert=s',
+	'tls_cert=s',
+	'tls_key=s',
 	'tls', 'debug',
 	 help => sub {
 		Pod::Usage::pod2usage(
@@ -1660,7 +1706,7 @@
 	close YAML;
 
 	eval { $conf = YAML::Syck::Load( $data ) };
-	die "Invalid YAML in ~/.shelldap.rc\n" if $@;
+	die "Invalid YAML in $confpath\n" if $@;
 
 	return $conf;
 }