X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/374cc9ffdd945cec08abbc3ff91b4b2b147cd840..ec17f6971109186961283443f2df6d5802bea401:/lib/controller/localdb/login_ldap.go

diff --git a/lib/controller/localdb/login_ldap.go b/lib/controller/localdb/login_ldap.go
index 6c430d69bb..df3982c85f 100644
--- a/lib/controller/localdb/login_ldap.go
+++ b/lib/controller/localdb/login_ldap.go
@@ -21,12 +21,12 @@ import (
 )
 
 type ldapLoginController struct {
-	Cluster    *arvados.Cluster
-	RailsProxy *railsProxy
+	Cluster *arvados.Cluster
+	Parent  *Conn
 }
 
 func (ctrl *ldapLoginController) Logout(ctx context.Context, opts arvados.LogoutOptions) (arvados.LogoutResponse, error) {
-	return noopLogout(ctrl.Cluster, opts)
+	return logout(ctx, ctrl.Cluster, opts)
 }
 
 func (ctrl *ldapLoginController) Login(ctx context.Context, opts arvados.LoginOptions) (arvados.LoginResponse, error) {
@@ -47,7 +47,25 @@ func (ctrl *ldapLoginController) UserAuthenticate(ctx context.Context, opts arva
 	}
 
 	log = log.WithField("URL", conf.URL.String())
-	l, err := ldap.DialURL(conf.URL.String())
+	var l *ldap.Conn
+	var err error
+	if conf.URL.Scheme == "ldaps" {
+		// ldap.DialURL does not currently allow us to control
+		// tls.Config, so we need to figure out the port
+		// ourselves and call DialTLS.
+		host, port, err := net.SplitHostPort(conf.URL.Host)
+		if err != nil {
+			// Assume error means no port given
+			host = conf.URL.Host
+			port = ldap.DefaultLdapsPort
+		}
+		l, err = ldap.DialTLS("tcp", net.JoinHostPort(host, port), &tls.Config{
+			ServerName: host,
+			MinVersion: uint16(conf.MinTLSVersion),
+		})
+	} else {
+		l, err = ldap.DialURL(conf.URL.String())
+	}
 	if err != nil {
 		log.WithError(err).Error("ldap connection failed")
 		return arvados.APIClientAuthorization{}, err
@@ -56,6 +74,7 @@ func (ctrl *ldapLoginController) UserAuthenticate(ctx context.Context, opts arva
 
 	if conf.StartTLS {
 		var tlsconfig tls.Config
+		tlsconfig.MinVersion = uint16(conf.MinTLSVersion)
 		if conf.InsecureTLS {
 			tlsconfig.InsecureSkipVerify = true
 		} else {
@@ -143,7 +162,7 @@ func (ctrl *ldapLoginController) UserAuthenticate(ctx context.Context, opts arva
 		return arvados.APIClientAuthorization{}, errors.New("authentication succeeded but ldap returned no email address")
 	}
 
-	return createAPIClientAuthorization(ctx, ctrl.RailsProxy, ctrl.Cluster.SystemRootToken, rpc.UserSessionAuthInfo{
+	return ctrl.Parent.CreateAPIClientAuthorization(ctx, ctrl.Cluster.SystemRootToken, rpc.UserSessionAuthInfo{
 		Email:     email,
 		FirstName: attrs["givenname"],
 		LastName:  attrs["sn"],