Set `Net::LDAP` `ca_file` option

author: Michael Kozono <mkozono@gmail.com> 2017-06-08 16:57:13 -0700
committer: Michael Kozono <mkozono@gmail.com> 2017-07-26 02:43:34 -0700
commit: dcc12505aa121f809f6cf64fa7a68cc5457aca31 (patch)
tree: 6c56ebf243fb57e62788f97df7ea542bd43267d3 /lib
parent: b67c007842ba42d2ed1cf1d8879a220a1b9906f9 (diff)
download: gitlab-ce-dcc12505aa121f809f6cf64fa7a68cc5457aca31.tar.gz
1 files changed, 15 insertions, 5 deletions
diff --git a/lib/gitlab/ldap/config.rb b/lib/gitlab/ldap/config.rb
index 383e0a09e42..983c79a6364 100644
--- a/lib/gitlab/ldap/config.rb
+++ b/lib/gitlab/ldap/config.rb
@@ -179,11 +179,21 @@ module Gitlab
       end
 
       def tls_options(method)
-        if method && options['verify_certificates']
-          OpenSSL::SSL::SSLContext::DEFAULT_PARAMS
-        else
-          { verify_mode: OpenSSL::SSL::VERIFY_NONE }
-        end
+        return { verify_mode: OpenSSL::SSL::VERIFY_NONE } unless method
+
+        opts = if options['verify_certificates']
+                 OpenSSL::SSL::SSLContext::DEFAULT_PARAMS
+               else
+                 # It is important to explicitly set verify_mode for two reasons:
+                 # 1. The behavior of OpenSSL is undefined when verify_mode is not set.
+                 # 2. The net-ldap gem implementation verifies the certificate hostname
+                 #    unless verify_mode is set to VERIFY_NONE.
+                 { verify_mode: OpenSSL::SSL::VERIFY_NONE }
+               end
+
+        opts[:ca_file] = options['ca_file'] if options['ca_file'].present?
+
+        opts
       end
 
       def auth_options
author	Michael Kozono <mkozono@gmail.com>	2017-06-08 16:57:13 -0700
committer	Michael Kozono <mkozono@gmail.com>	2017-07-26 02:43:34 -0700
commit	dcc12505aa121f809f6cf64fa7a68cc5457aca31 (patch)
tree	6c56ebf243fb57e62788f97df7ea542bd43267d3 /lib
parent	b67c007842ba42d2ed1cf1d8879a220a1b9906f9 (diff)
download	gitlab-ce-dcc12505aa121f809f6cf64fa7a68cc5457aca31.tar.gz