diff --git a/ChangeLog b/ChangeLog index b3d437c12..d46dedd76 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +2009-04-02 Wolfgang Sourdeau + + * SoObjects/SOGo/LDAPSource.m: we now support an "encryption" + parameter, having either a value of "ssl" or "starttls" to define + the type of encryption to be used, if any. + 2009-04-01 Ludovic Marcotte * Dropped worthless tools diff --git a/NEWS b/NEWS index 993843c9e..4a6475462 100644 --- a/NEWS +++ b/NEWS @@ -1,3 +1,7 @@ +1.0.x +----- +- we now support LDAP encryption for binding and for contact lookups + 1.0-2009 -------- - when the status of an attendee changes, the event of an organizer is now updated correctly if it doesn't reside in the personal folder diff --git a/SOPE/sope-patchset-r1632.diff b/SOPE/sope-patchset-r1632.diff index d0720199f..2d4fe145d 100644 --- a/SOPE/sope-patchset-r1632.diff +++ b/SOPE/sope-patchset-r1632.diff @@ -1,3 +1,65 @@ +Index: sope-ldap/NGLdap/NGLdapConnection.m +=================================================================== +--- sope-ldap/NGLdap/NGLdapConnection.m (revision 1632) ++++ sope-ldap/NGLdap/NGLdapConnection.m (working copy) +@@ -219,6 +219,29 @@ + return e; + } + ++/* encryption */ ++ ++- (BOOL)useSSL ++{ ++ BOOL rc; ++ int option; ++ ++ if (self->handle != NULL) { ++ option = LDAP_OPT_X_TLS_HARD; ++ rc = (ldap_set_option(self->handle, LDAP_OPT_X_TLS, &option) == LDAP_SUCCESS); ++ } ++ else ++ rc = NO; ++ ++ return rc; ++} ++ ++- (BOOL)startTLS ++{ ++ return (self->handle != NULL ++ && ldap_start_tls_s(self->handle, NULL, NULL) == LDAP_SUCCESS); ++} ++ + /* binding */ + + - (BOOL)isBound { +Index: sope-ldap/NGLdap/ChangeLog +=================================================================== +--- sope-ldap/NGLdap/ChangeLog (revision 1632) ++++ sope-ldap/NGLdap/ChangeLog (working copy) +@@ -1,3 +1,8 @@ ++2009-04-02 Wolfgang Sourdeau ++ ++ * NGLdapConnection.m (useSSL,startTLS): new method enabling ++ encryption on the LDAP connection. ++ + 2007-11-21 Helge Hess + + * NGLdapConnection.m: replaced some -cString calls with -UTF8String +Index: sope-ldap/NGLdap/NGLdapConnection.h +=================================================================== +--- sope-ldap/NGLdap/NGLdapConnection.h (revision 1632) ++++ sope-ldap/NGLdap/NGLdapConnection.h (working copy) +@@ -53,6 +53,10 @@ + - (NSString *)hostName; + - (int)port; + ++/* encryption */ ++- (BOOL)useSSL; ++- (BOOL)startTLS; ++ + /* binding */ + + - (BOOL)isBound; Index: sope-gdl1/PostgreSQL/PostgreSQL72Channel.m =================================================================== --- sope-gdl1/PostgreSQL/PostgreSQL72Channel.m (revision 1632) diff --git a/SoObjects/SOGo/LDAPSource.h b/SoObjects/SOGo/LDAPSource.h index 77532b722..dbe0fe0e7 100644 --- a/SoObjects/SOGo/LDAPSource.h +++ b/SoObjects/SOGo/LDAPSource.h @@ -36,6 +36,7 @@ NSString *hostname; unsigned int port; NSString *password; + NSString *encryption; NSString *_filter; NSString *baseDN; @@ -56,9 +57,10 @@ - (id) initFromUDSource: (NSDictionary *) udSource; - (void) setBindDN: (NSString *) newBindDN + password: (NSString *) newBindPassword hostname: (NSString *) newBindHostname port: (NSString *) newBindPort - andPassword: (NSString *) newBindPassword; + encryption: (NSString *) newEncryption; - (void) setBaseDN: (NSString *) newBaseDN IDField: (NSString *) newIDField CNField: (NSString *) newCNField diff --git a/SoObjects/SOGo/LDAPSource.m b/SoObjects/SOGo/LDAPSource.m index 53037c525..782a91d9e 100644 --- a/SoObjects/SOGo/LDAPSource.m +++ b/SoObjects/SOGo/LDAPSource.m @@ -26,6 +26,7 @@ #import #import +#import #import #import #import @@ -155,6 +156,7 @@ static NSLock *lock; bindDN = nil; hostname = nil; port = 389; + encryption = nil; password = nil; sourceID = nil; @@ -178,6 +180,7 @@ static NSLock *lock; { [bindDN release]; [hostname release]; + [encryption release]; [password release]; [baseDN release]; [IDField release]; @@ -196,30 +199,35 @@ static NSLock *lock; { self = [self init]; - ASSIGN(sourceID, [udSource objectForKey: @"id"]); + ASSIGN (sourceID, [udSource objectForKey: @"id"]); [self setBindDN: [udSource objectForKey: @"bindDN"] + password: [udSource objectForKey: @"bindPassword"] hostname: [udSource objectForKey: @"hostname"] port: [udSource objectForKey: @"port"] - andPassword: [udSource objectForKey: @"bindPassword"]]; + encryption: [udSource objectForKey: @"encryption"]]; [self setBaseDN: [udSource objectForKey: @"baseDN"] IDField: [udSource objectForKey: @"IDFieldName"] CNField: [udSource objectForKey: @"CNFieldName"] UIDField: [udSource objectForKey: @"UIDFieldName"] mailFields: [udSource objectForKey: @"MailFieldNames"] andBindFields: [udSource objectForKey: @"bindFields"]]; - ASSIGN(modulesConstraints, [udSource objectForKey: @"ModulesConstraints"]); - ASSIGN(_filter, [udSource objectForKey: @"filter"]); + ASSIGN (modulesConstraints, [udSource objectForKey: @"ModulesConstraints"]); + ASSIGN (_filter, [udSource objectForKey: @"filter"]); return self; } - (void) setBindDN: (NSString *) newBindDN + password: (NSString *) newBindPassword hostname: (NSString *) newBindHostname port: (NSString *) newBindPort - andPassword: (NSString *) newBindPassword + encryption: (NSString *) newEncryption { ASSIGN (bindDN, newBindDN); + ASSIGN (encryption, [newEncryption uppercaseString]); + if ([encryption isEqualToString: @"SSL"]) + port = 636; ASSIGN (hostname, newBindHostname); if (newBindPort) port = [newBindPort intValue]; @@ -246,6 +254,23 @@ static NSLock *lock; ASSIGN (bindFields, newBindFields); } +- (BOOL) _setupEncryption: (NGLdapConnection *) encryptedConn +{ + BOOL rc; + + if ([encryption isEqualToString: @"SSL"]) + rc = [encryptedConn useSSL]; + else if ([encryption isEqualToString: @"SSL"]) + rc = [encryptedConn startTLS]; + else + { + [self errorWithFormat: @"encryption scheme '%@' not supported: use 'SSL' or 'STARTTLS'"]; + rc = NO; + } + + return rc; +} + - (BOOL) _initLDAPConnection { BOOL b; @@ -254,14 +279,19 @@ static NSLock *lock; { ldapConnection = [[NGLdapConnection alloc] initWithHostName: hostname port: port]; - [ldapConnection bindWithMethod: @"simple" - binddn: bindDN - credentials: password]; - if (sizeLimit > 0) - [ldapConnection setQuerySizeLimit: sizeLimit]; - if (timeLimit > 0) - [ldapConnection setQueryTimeLimit: timeLimit]; - b = YES; + if (![encryption length] || [self _setupEncryption: ldapConnection]) + { + [ldapConnection bindWithMethod: @"simple" + binddn: bindDN + credentials: password]; + if (sizeLimit > 0) + [ldapConnection setQuerySizeLimit: sizeLimit]; + if (timeLimit > 0) + [ldapConnection setQueryTimeLimit: timeLimit]; + b = YES; + } + else + b = NO; } NS_HANDLER { @@ -338,23 +368,26 @@ static NSLock *lock; { bindConnection = [[NGLdapConnection alloc] initWithHostName: hostname port: port]; - if (timeLimit > 0) - [ldapConnection setQueryTimeLimit: timeLimit]; - if (bindFields) - userDN = [self _fetchUserDNForLogin: loginToCheck]; - else - userDN = [NSString stringWithFormat: @"%@=%@,%@", - IDField, loginToCheck, baseDN]; - if (userDN) + if (![encryption length] || [self _setupEncryption: bindConnection]) { - NS_DURING - didBind = [bindConnection bindWithMethod: @"simple" - binddn: userDN - credentials: passwordToCheck]; - NS_HANDLER - NS_ENDHANDLER + if (timeLimit > 0) + [ldapConnection setQueryTimeLimit: timeLimit]; + if (bindFields) + userDN = [self _fetchUserDNForLogin: loginToCheck]; + else + userDN = [NSString stringWithFormat: @"%@=%@,%@", + IDField, loginToCheck, baseDN]; + if (userDN) + { + NS_DURING + didBind = [bindConnection bindWithMethod: @"simple" + binddn: userDN + credentials: passwordToCheck]; + NS_HANDLER + NS_ENDHANDLER + } + [bindConnection release]; } - [bindConnection release]; } #if defined(THREADSAFE)