Use SSL/TLS when configured to do so.

diff --git a/Util.pm b/Util.pm
index 1688dc4..2b5b266 100644 (file)
--- a/Util.pm
+++ b/Util.pm
@@ -3,6 +3,7 @@ package Util;
 
 use strict;
 use Date::Manip qw(ParseDate);
+use Net::LDAP qw(:all);
 
 my $blocksize = 8; # A blowfish block is 8 bytes
 my $configfile = "/etc/userdir-ldap/userdir-ldap.conf";
@@ -339,4 +340,17 @@ sub ReadConfigFile {
   return %config;
 }
 
+sub UpgradeConnection($) {
+  my ($ldap) = @_;
+  my $mesg = $ldap->start_tls(
+                          verify => 'require',
+                          capath => '/etc/ssl/certs/'
+                          );
+  $mesg->sync;
+  if ($mesg->code != LDAP_SUCCESS) {
+    print "Content-type: text/html; charset=utf-8\n\n";
+    print "<html><body><h1>STARTTLS failed: "..$mesg->error."</h1></body></html>\n";
+    exit(1);
+  };
+};
 1;

diff --git a/debian/changelog b/debian/changelog
index 6026a60..e3a1006 100644 (file)
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,8 +3,10 @@ userdir-ldap-cgi (0.3.10) unstable; urgency=low
   * Make machines.cgi display the purpose attribute from LDAP [HE].
   * Add VoIP field to CGI [zobel].
   * make summaryattrs sortable [zobel].
+  * Use SSL/TLS when configured to do so, and Depend on libio-socket-ssl-perl
+    for that.
 
- -- Peter Palfrader <weasel@debian.org>  Sun, 25 May 2008 18:05:06 +0200
+ -- Peter Palfrader <weasel@debian.org>  Sun, 25 May 2008 18:21:45 +0200
 
 userdir-ldap-cgi (0.3.9) unstable; urgency=low
 

diff --git a/debian/control b/debian/control
index 89c07b7..146eb1c 100644 (file)
--- a/debian/control
+++ b/debian/control
@@ -8,7 +8,7 @@ Uploaders: Ryan Murray <rmurray@debian.org>, Joey Schulze <joey@debian.org>
 
 Package: userdir-ldap-cgi
 Architecture: all
-Depends: userdir-ldap, perl5, libnet-ldap-perl, libcrypt-blowfish-perl, gnupg (>= 1.0.3), libdate-manip-perl, liburi-perl
+Depends: userdir-ldap, perl5, libnet-ldap-perl, libcrypt-blowfish-perl, gnupg (>= 1.0.3), libdate-manip-perl, liburi-perl, libio-socket-ssl-perl
 Replaces: userdir-ldap
 Description: CGI programs for the db.debian.org
  These programs are run on http://db.debian.org/ to simplify the

diff --git a/login.cgi b/login.cgi
index 6a32547..cfe7380 100755 (executable)
--- a/login.cgi
+++ b/login.cgi
@@ -28,6 +28,7 @@ my $hrkey = unpack("H".($config{blowfishkeylen}*2), $key);
 my $cipher = new Crypt::Blowfish $key;
 
 my $ldap = Net::LDAP->new($config{ldaphost}) || &Util::HTMLError($!);
+&Util::UpgradeConnection($ldap) unless $config{usessl} eq 'False';
 
 my $username = $query->param('username');
 my $password = $query->param('password');

diff --git a/machines.cgi b/machines.cgi
index 166c2ca..de5191e 100755 (executable)
--- a/machines.cgi
+++ b/machines.cgi
@@ -92,6 +92,7 @@ my $sortorder = lc($query->param('sortorder')) || "asc";
 
 &Util::HTMLSendHeader;
 $ldap = Net::LDAP->new($config{ldaphost}) || &Util::HTMLError($!);
+&Util::UpgradeConnection($ldap) unless $config{usessl} eq 'False';
 $mesg;
 $ldap->bind;
 

diff --git a/search.cgi b/search.cgi
index 96d8135..9cb62b3 100755 (executable)
--- a/search.cgi
+++ b/search.cgi
@@ -84,6 +84,7 @@ if (!$dosearch) {
 
   # Now, we are ready to connect to the LDAP server.
   $ldap = Net::LDAP->new($config{ldaphost}) || &Util::HTMLError($!);
+  &Util::UpgradeConnection($ldap) unless $config{usessl} eq 'False';
   my $auth = 0;
   my $mesg;
 

diff --git a/update.cgi b/update.cgi
index e1f7c96..676d2d7 100755 (executable)
--- a/update.cgi
+++ b/update.cgi
@@ -36,6 +36,7 @@ sub DieHandler {
 $SIG{__DIE__} = \&DieHandler;
 
 $ldap = Net::LDAP->new($config{ldaphost});
+&Util::UpgradeConnection($ldap) unless $config{usessl} eq 'False';
 my $auth = 0;
 my $mesg;
 $mesg = $ldap->bind($editdn, password => $password);