X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/864c3b0afd16c77e046f0072d8517d34c5a44792..ec17f6971109186961283443f2df6d5802bea401:/lib/controller/localdb/login_ldap.go

diff --git a/lib/controller/localdb/login_ldap.go b/lib/controller/localdb/login_ldap.go
index 3f13c7b27a..df3982c85f 100644
--- a/lib/controller/localdb/login_ldap.go
+++ b/lib/controller/localdb/login_ldap.go
@@ -47,7 +47,25 @@ func (ctrl *ldapLoginController) UserAuthenticate(ctx context.Context, opts arva
 	}
 
 	log = log.WithField("URL", conf.URL.String())
-	l, err := ldap.DialURL(conf.URL.String())
+	var l *ldap.Conn
+	var err error
+	if conf.URL.Scheme == "ldaps" {
+		// ldap.DialURL does not currently allow us to control
+		// tls.Config, so we need to figure out the port
+		// ourselves and call DialTLS.
+		host, port, err := net.SplitHostPort(conf.URL.Host)
+		if err != nil {
+			// Assume error means no port given
+			host = conf.URL.Host
+			port = ldap.DefaultLdapsPort
+		}
+		l, err = ldap.DialTLS("tcp", net.JoinHostPort(host, port), &tls.Config{
+			ServerName: host,
+			MinVersion: uint16(conf.MinTLSVersion),
+		})
+	} else {
+		l, err = ldap.DialURL(conf.URL.String())
+	}
 	if err != nil {
 		log.WithError(err).Error("ldap connection failed")
 		return arvados.APIClientAuthorization{}, err
@@ -56,6 +74,7 @@ func (ctrl *ldapLoginController) UserAuthenticate(ctx context.Context, opts arva
 
 	if conf.StartTLS {
 		var tlsconfig tls.Config
+		tlsconfig.MinVersion = uint16(conf.MinTLSVersion)
 		if conf.InsecureTLS {
 			tlsconfig.InsecureSkipVerify = true
 		} else {