Add options to support ssl key verification when connecting with TLS.
Many thanks to Josef Wells <Josefwells@alumni.utexas.net>! Small whitespace cleanup. Display correct configuration file in error message, if a YAML parse error occurred. FossilOrigin-Name: 99f501e7bae77e1df4573d9701d7876eb698551d27e9b46eddee0bf93386ab3f
This commit is contained in:
parent
9354805d28
commit
7885c220b5
1 changed files with 53 additions and 7 deletions
52
shelldap
52
shelldap
|
|
@ -39,7 +39,7 @@ tasks quickly and with minimal effort.
|
|||
|
||||
=head1 SYNPOSIS
|
||||
|
||||
shelldap --server example.net --basedn dc=your,o=company [--tls] [--binddn ...] [--help]
|
||||
shelldap --server example.net [--help]
|
||||
|
||||
=head1 FEATURES
|
||||
|
||||
|
|
@ -74,6 +74,9 @@ Example:
|
|||
bindpass: xxxxxxxxx
|
||||
basedn: dc=your,o=company
|
||||
tls: yes
|
||||
tls_cacert: /etc/ssl/certs/cacert.pem
|
||||
tls_cert: ~/.ssl/client.cert.pem
|
||||
tls_key: ~/.ssl/private/client.key.pem
|
||||
|
||||
=over 4
|
||||
|
||||
|
|
@ -115,6 +118,25 @@ try and ask the server for a sane default.
|
|||
Enables TLS over what would normally be an insecure connection.
|
||||
Requires server side support.
|
||||
|
||||
=item B<tls_cacert>
|
||||
|
||||
Specify CA Certificate to trust.
|
||||
|
||||
--tls_cacert /etc/ssl/certs/cacert.pem
|
||||
|
||||
=item B<tls_cert>
|
||||
|
||||
The TLS client certificate.
|
||||
|
||||
--tls_cert ~/.ssl/client.cert.pem
|
||||
|
||||
=item B<tls_key>
|
||||
|
||||
The TLS client key. Not specifying a key will connect via TLS without
|
||||
key verification.
|
||||
|
||||
--tls_key ~/.ssl/private/client.key.pem
|
||||
|
||||
=back
|
||||
|
||||
=over 4
|
||||
|
|
@ -434,7 +456,28 @@ sub ldap
|
|||
# make connection
|
||||
my $ldap = Net::LDAP->new( $conf->{'server'} )
|
||||
or die "Unable to connect to LDAP server '$conf->{'server'}': $!\n";
|
||||
$ldap->start_tls( verify => 'none' ) if $conf->{'tls'};
|
||||
|
||||
# secure connection options
|
||||
if ( $conf->{'tls'} ) {
|
||||
if ( $conf->{'tls_key'} ) {
|
||||
$ldap->start_tls(
|
||||
verify => 'require',
|
||||
cafile => $conf->{'tls_cacert'},
|
||||
clientcert => $conf->{'tls_cert'},
|
||||
clientkey => $conf->{'tls_key'},
|
||||
keydecrypt => sub {
|
||||
print "Key Passphrase: ";
|
||||
Term::ReadKey::ReadMode 2;
|
||||
chomp(my $secret = <STDIN>);
|
||||
Term::ReadKey::ReadMode 0;
|
||||
print "\n";
|
||||
return $secret;
|
||||
});
|
||||
}
|
||||
else {
|
||||
$ldap->start_tls( verify => 'none' );
|
||||
}
|
||||
}
|
||||
|
||||
# bind
|
||||
my $rv;
|
||||
|
|
@ -1614,6 +1657,9 @@ Getopt::Long::GetOptions(
|
|||
'basedn=s',
|
||||
'cacheage=i',
|
||||
'timeout=i',
|
||||
'tls_cacert=s',
|
||||
'tls_cert=s',
|
||||
'tls_key=s',
|
||||
'tls', 'debug',
|
||||
help => sub {
|
||||
Pod::Usage::pod2usage(
|
||||
|
|
@ -1660,7 +1706,7 @@ sub load_config
|
|||
close YAML;
|
||||
|
||||
eval { $conf = YAML::Syck::Load( $data ) };
|
||||
die "Invalid YAML in ~/.shelldap.rc\n" if $@;
|
||||
die "Invalid YAML in $confpath\n" if $@;
|
||||
|
||||
return $conf;
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue