Commit 0c4a3406 authored by Martin Lizner's avatar Martin Lizner
Browse files

Use system default truststore to validate ldap connection certificate

parent bdf5111d
......@@ -76,7 +76,14 @@ public abstract class AbstractLdapConfiguration extends AbstractConfiguration {
* E.g. SSL, SSLv2, SSLv3, TLS, TLSv1, TLSv1.1, TLSv1.2
*/
private String sslProtocol = null;
/**
* Whether connector skips certificate validity check against its default truststore (e.g. Java cacerts)
* When set to false, connector checks server certificate validity in SSL/TLS mode (recommended).
* When set to true, connector does not check server certificate validity. Do not use this option in the production.
*/
private boolean allowUntrustedSsl = false;
/**
* Set of security protocols that are acceptable for protocol negotiation.
* This name is used to set up SSLEngine.
......@@ -752,6 +759,15 @@ public abstract class AbstractLdapConfiguration extends AbstractConfiguration {
this.additionalSearchFilter = additionalSearchFilter;
}
@ConfigurationProperty(order = 43)
public boolean isAllowUntrustedSsl() {
return allowUntrustedSsl;
}
public void setAllowUntrustedSsl(boolean allowUntrustedSsl) {
this.allowUntrustedSsl = allowUntrustedSsl;
}
@Override
public void validate() {
validateNotBlank(host, "host.blank");
......
......@@ -17,6 +17,9 @@ package com.evolveum.polygon.connector.ldap;
import java.io.Closeable;
import java.io.IOException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Iterator;
......@@ -40,6 +43,7 @@ import org.apache.directory.api.ldap.model.url.LdapUrl;
import org.apache.directory.api.ldap.schema.manager.impl.DefaultSchemaManager;
import org.apache.directory.ldap.client.api.LdapConnectionConfig;
import org.apache.directory.ldap.client.api.LdapNetworkConnection;
import org.apache.directory.ldap.client.api.NoVerificationTrustManager;
import org.identityconnectors.common.logging.Log;
import org.identityconnectors.common.security.GuardedString;
import org.identityconnectors.framework.common.exceptions.ConfigurationException;
......@@ -51,6 +55,9 @@ import com.evolveum.polygon.common.GuardedStringAccessor;
import com.evolveum.polygon.connector.ldap.ServerDefinition.Origin;
import com.evolveum.polygon.connector.ldap.schema.AbstractSchemaTranslator;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
/**
* @author Radovan Semancik
*
......@@ -365,8 +372,10 @@ public class ConnectionManager<C extends AbstractLdapConfiguration> implements C
// Nothing to do
} else if (LdapConfiguration.CONNECTION_SECURITY_SSL.equals(connectionSecurity)) {
connectionConfig.setUseSsl(true);
connectionConfig.setTrustManagers(createTrustManager());
} else if (LdapConfiguration.CONNECTION_SECURITY_STARTTLS.equals(connectionSecurity)) {
connectionConfig.setUseTls(true);
connectionConfig.setTrustManagers(createTrustManager());
} else {
throw new ConfigurationException("Unknown value for connectionSecurity: "+connectionSecurity);
}
......@@ -419,7 +428,23 @@ public class ConnectionManager<C extends AbstractLdapConfiguration> implements C
}
server.setConnection(connection);
}
private TrustManager[] createTrustManager() {
if (configuration.isAllowUntrustedSsl()) {
return new TrustManager[]{new NoVerificationTrustManager()}; // this is apache ldap default
}
String defaultAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
try {
TrustManagerFactory tmf = TrustManagerFactory.getInstance(defaultAlgorithm);
tmf.init((KeyStore) null); // load system default keystore (e.g. JDK cacerts)
return tmf.getTrustManagers();
} catch (NoSuchAlgorithmException | KeyStoreException e) {
LOG.error("Error creating trust manager: {0}", e);
}
throw new ConnectionFailedException("Unable to create trust manager.");
}
private LdapNetworkConnection connectConnection(LdapConnectionConfig connectionConfig, String userDn) {
LOG.ok("Creating connection object");
LdapNetworkConnection connection = new LdapNetworkConnection(connectionConfig);
......
......@@ -34,6 +34,9 @@ enabledSecurityProtocols.help=Set of security protocols that are acceptable for
enabledCipherSuites.display=Enabled cipher suites
enabledCipherSuites.help=
allowUntrustedSsl.display=Allow untrusted SSL/TLS
allowUntrustedSsl.help=If set to false (which is default and recommended), connector checks server certificate validity in SSL/TLS mode against system default truststore (e.g. Java cacerts). If set to true, connector does not check server certificate validity - do not use this option in the production environment.
authenticationType.display=Authentication type
authenticationType.help=The authentication mechanism to use. Values: "simple", "SASL-GSSAPI"
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment