19896: Use StartTLS + MinTLSVersion regardless of Insecure flag.

[arvados.git] / lib / controller / localdb / login_ldap.go

diff --git a/lib/controller/localdb/login_ldap.go b/lib/controller/localdb/login_ldap.go
index 3f13c7b27aafed09f1c6b201270e034ca9c011d9..df3982c85f627edc301241777e1b1ae7c1b52105 100644 (file)
--- a/lib/controller/localdb/login_ldap.go
+++ b/lib/controller/localdb/login_ldap.go
@@ -47,7 +47,25 @@ func (ctrl *ldapLoginController) UserAuthenticate(ctx context.Context, opts arva
        }
 
        log = log.WithField("URL", conf.URL.String())
-       l, err := ldap.DialURL(conf.URL.String())
+       var l *ldap.Conn
+       var err error
+       if conf.URL.Scheme == "ldaps" {
+               // ldap.DialURL does not currently allow us to control
+               // tls.Config, so we need to figure out the port
+               // ourselves and call DialTLS.
+               host, port, err := net.SplitHostPort(conf.URL.Host)
+               if err != nil {
+                       // Assume error means no port given
+                       host = conf.URL.Host
+                       port = ldap.DefaultLdapsPort
+               }
+               l, err = ldap.DialTLS("tcp", net.JoinHostPort(host, port), &tls.Config{
+                       ServerName: host,
+                       MinVersion: uint16(conf.MinTLSVersion),
+               })
+       } else {
+               l, err = ldap.DialURL(conf.URL.String())
+       }
        if err != nil {
                log.WithError(err).Error("ldap connection failed")
                return arvados.APIClientAuthorization{}, err
@@ -56,6 +74,7 @@ func (ctrl *ldapLoginController) UserAuthenticate(ctx context.Context, opts arva
 
        if conf.StartTLS {
                var tlsconfig tls.Config
+               tlsconfig.MinVersion = uint16(conf.MinTLSVersion)
                if conf.InsecureTLS {
                        tlsconfig.InsecureSkipVerify = true
                } else {