Skip to content

Commit

Permalink
don't resolve IPs for LDAP source using SSL and requiring verification (
Browse files Browse the repository at this point in the history 
#6808)
  • Loading branch information
@talltechdude
talltechdude authored Nov 22, 2024
1 parent 14fc52a commit 41ac29f
Showing 1 changed file with 8 additions and 2 deletions.
10 changes: 8 additions & 2 deletions lib/pf/Authentication/Source/LDAPSource.pm
View file
Original file line number Diff line number Diff line change
Expand Up @@ -244,8 +244,14 @@ sub _connect {
my $connection;
my $logger = Log::Log4perl::get_logger(__PACKAGE__);
my $LDAPServer;
# Lookup the server hostnames to IPs so they can be shuffled better and to improve the failure detection
my @LDAPServers = map { valid_ip($_) ? $_ : @{resolve($_) // []} } @{$self->{'host'} // []};
my @LDAPServers;
if ($self->{'encryption'} eq SSL && $self->{'verify'} eq 'require') {
# Not expanding hostnames in order to allow LDAPS to send SNI header and verify hostname header against certifcate (at the cost of IP based round robin)
@LDAPServers = @{$self->{'host'} // []};
} else {
# Lookup the server hostnames to IPs so they can be shuffled better and to improve the failure detection
@LDAPServers = map { valid_ip($_) ? $_ : @{resolve($_) // []} } @{$self->{'host'} // []};
}
if ($self->shuffle) {
@LDAPServers = List::Util::shuffle @LDAPServers;
}
Expand Down

0 comments on commit 41ac29f

Please sign in to comment.