X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/77c8223f5ddd64cff2b08d0857749644c474946f..064df2d66faf61f475813863e5c29ca07ad9555a:/lib/controller/localdb/login_ldap.go

diff --git a/lib/controller/localdb/login_ldap.go b/lib/controller/localdb/login_ldap.go
index 49f557ae5b..df3982c85f 100644
--- a/lib/controller/localdb/login_ldap.go
+++ b/lib/controller/localdb/login_ldap.go
@@ -26,7 +26,7 @@ type ldapLoginController struct {
 }
 
 func (ctrl *ldapLoginController) Logout(ctx context.Context, opts arvados.LogoutOptions) (arvados.LogoutResponse, error) {
-	return noopLogout(ctrl.Cluster, opts)
+	return logout(ctx, ctrl.Cluster, opts)
 }
 
 func (ctrl *ldapLoginController) Login(ctx context.Context, opts arvados.LoginOptions) (arvados.LoginResponse, error) {
@@ -47,7 +47,25 @@ func (ctrl *ldapLoginController) UserAuthenticate(ctx context.Context, opts arva
 	}
 
 	log = log.WithField("URL", conf.URL.String())
-	l, err := ldap.DialURL(conf.URL.String())
+	var l *ldap.Conn
+	var err error
+	if conf.URL.Scheme == "ldaps" {
+		// ldap.DialURL does not currently allow us to control
+		// tls.Config, so we need to figure out the port
+		// ourselves and call DialTLS.
+		host, port, err := net.SplitHostPort(conf.URL.Host)
+		if err != nil {
+			// Assume error means no port given
+			host = conf.URL.Host
+			port = ldap.DefaultLdapsPort
+		}
+		l, err = ldap.DialTLS("tcp", net.JoinHostPort(host, port), &tls.Config{
+			ServerName: host,
+			MinVersion: uint16(conf.MinTLSVersion),
+		})
+	} else {
+		l, err = ldap.DialURL(conf.URL.String())
+	}
 	if err != nil {
 		log.WithError(err).Error("ldap connection failed")
 		return arvados.APIClientAuthorization{}, err
@@ -56,6 +74,7 @@ func (ctrl *ldapLoginController) UserAuthenticate(ctx context.Context, opts arva
 
 	if conf.StartTLS {
 		var tlsconfig tls.Config
+		tlsconfig.MinVersion = uint16(conf.MinTLSVersion)
 		if conf.InsecureTLS {
 			tlsconfig.InsecureSkipVerify = true
 		} else {