Add options to support ssl key verification when connecting with TLS.
Many thanks to Josef Wells <Josefwells@alumni.utexas.net>! Small whitespace cleanup. Display correct configuration file in error message, if a YAML parse error occurred. FossilOrigin-Name: 99f501e7bae77e1df4573d9701d7876eb698551d27e9b46eddee0bf93386ab3f
This commit is contained in:
parent
9354805d28
commit
7885c220b5
1 changed files with 53 additions and 7 deletions
52
shelldap
52
shelldap
|
|
@ -39,7 +39,7 @@ tasks quickly and with minimal effort.
|
||||||
|
|
||||||
=head1 SYNPOSIS
|
=head1 SYNPOSIS
|
||||||
|
|
||||||
shelldap --server example.net --basedn dc=your,o=company [--tls] [--binddn ...] [--help]
|
shelldap --server example.net [--help]
|
||||||
|
|
||||||
=head1 FEATURES
|
=head1 FEATURES
|
||||||
|
|
||||||
|
|
@ -74,6 +74,9 @@ Example:
|
||||||
bindpass: xxxxxxxxx
|
bindpass: xxxxxxxxx
|
||||||
basedn: dc=your,o=company
|
basedn: dc=your,o=company
|
||||||
tls: yes
|
tls: yes
|
||||||
|
tls_cacert: /etc/ssl/certs/cacert.pem
|
||||||
|
tls_cert: ~/.ssl/client.cert.pem
|
||||||
|
tls_key: ~/.ssl/private/client.key.pem
|
||||||
|
|
||||||
=over 4
|
=over 4
|
||||||
|
|
||||||
|
|
@ -115,6 +118,25 @@ try and ask the server for a sane default.
|
||||||
Enables TLS over what would normally be an insecure connection.
|
Enables TLS over what would normally be an insecure connection.
|
||||||
Requires server side support.
|
Requires server side support.
|
||||||
|
|
||||||
|
=item B<tls_cacert>
|
||||||
|
|
||||||
|
Specify CA Certificate to trust.
|
||||||
|
|
||||||
|
--tls_cacert /etc/ssl/certs/cacert.pem
|
||||||
|
|
||||||
|
=item B<tls_cert>
|
||||||
|
|
||||||
|
The TLS client certificate.
|
||||||
|
|
||||||
|
--tls_cert ~/.ssl/client.cert.pem
|
||||||
|
|
||||||
|
=item B<tls_key>
|
||||||
|
|
||||||
|
The TLS client key. Not specifying a key will connect via TLS without
|
||||||
|
key verification.
|
||||||
|
|
||||||
|
--tls_key ~/.ssl/private/client.key.pem
|
||||||
|
|
||||||
=back
|
=back
|
||||||
|
|
||||||
=over 4
|
=over 4
|
||||||
|
|
@ -434,7 +456,28 @@ sub ldap
|
||||||
# make connection
|
# make connection
|
||||||
my $ldap = Net::LDAP->new( $conf->{'server'} )
|
my $ldap = Net::LDAP->new( $conf->{'server'} )
|
||||||
or die "Unable to connect to LDAP server '$conf->{'server'}': $!\n";
|
or die "Unable to connect to LDAP server '$conf->{'server'}': $!\n";
|
||||||
$ldap->start_tls( verify => 'none' ) if $conf->{'tls'};
|
|
||||||
|
# secure connection options
|
||||||
|
if ( $conf->{'tls'} ) {
|
||||||
|
if ( $conf->{'tls_key'} ) {
|
||||||
|
$ldap->start_tls(
|
||||||
|
verify => 'require',
|
||||||
|
cafile => $conf->{'tls_cacert'},
|
||||||
|
clientcert => $conf->{'tls_cert'},
|
||||||
|
clientkey => $conf->{'tls_key'},
|
||||||
|
keydecrypt => sub {
|
||||||
|
print "Key Passphrase: ";
|
||||||
|
Term::ReadKey::ReadMode 2;
|
||||||
|
chomp(my $secret = <STDIN>);
|
||||||
|
Term::ReadKey::ReadMode 0;
|
||||||
|
print "\n";
|
||||||
|
return $secret;
|
||||||
|
});
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
$ldap->start_tls( verify => 'none' );
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
# bind
|
# bind
|
||||||
my $rv;
|
my $rv;
|
||||||
|
|
@ -1614,6 +1657,9 @@ Getopt::Long::GetOptions(
|
||||||
'basedn=s',
|
'basedn=s',
|
||||||
'cacheage=i',
|
'cacheage=i',
|
||||||
'timeout=i',
|
'timeout=i',
|
||||||
|
'tls_cacert=s',
|
||||||
|
'tls_cert=s',
|
||||||
|
'tls_key=s',
|
||||||
'tls', 'debug',
|
'tls', 'debug',
|
||||||
help => sub {
|
help => sub {
|
||||||
Pod::Usage::pod2usage(
|
Pod::Usage::pod2usage(
|
||||||
|
|
@ -1660,7 +1706,7 @@ sub load_config
|
||||||
close YAML;
|
close YAML;
|
||||||
|
|
||||||
eval { $conf = YAML::Syck::Load( $data ) };
|
eval { $conf = YAML::Syck::Load( $data ) };
|
||||||
die "Invalid YAML in ~/.shelldap.rc\n" if $@;
|
die "Invalid YAML in $confpath\n" if $@;
|
||||||
|
|
||||||
return $conf;
|
return $conf;
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue