Set `Net::LDAP` `ssl_version` option

2 files changed, 31 insertions, 0 deletions

diff --git a/lib/gitlab/ldap/config.rb b/lib/gitlab/ldap/config.rb
index 983c79a6364..a48a485dffd 100644
--- a/lib/gitlab/ldap/config.rb
+++ b/lib/gitlab/ldap/config.rb
@@ -192,6 +192,7 @@ module Gitlab
                end
 
         opts[:ca_file] = options['ca_file'] if options['ca_file'].present?
+        opts[:ssl_version] = options['ssl_version'] if options['ssl_version'].present?
 
         opts
       end
diff --git a/spec/lib/gitlab/ldap/config_spec.rb b/spec/lib/gitlab/ldap/config_spec.rb
index 4544a38876c..e24c7d6b9a2 100644
--- a/spec/lib/gitlab/ldap/config_spec.rb
+++ b/spec/lib/gitlab/ldap/config_spec.rb
@@ -168,6 +168,36 @@ describe Gitlab::LDAP::Config, lib: true do
         expect(config.adapter_options[:encryption][:tls_options]).not_to have_key(:ca_file)
       end
     end
+
+    context 'when ssl_version is specified' do
+      it 'passes it through in tls_options' do
+        stub_ldap_config(
+          options: {
+            'host'                => 'ldap.example.com',
+            'port'                => 686,
+            'encryption'          => 'simple_tls',
+            'ssl_version'         => 'TLSv1_2'
+          }
+        )
+
+        expect(config.adapter_options[:encryption][:tls_options]).to include({ ssl_version: 'TLSv1_2' })
+      end
+    end
+
+    context 'when ssl_version is a blank string' do
+      it 'does not add the ssl_version key to tls_options' do
+        stub_ldap_config(
+          options: {
+            'host'                => 'ldap.example.com',
+            'port'                => 686,
+            'encryption'          => 'simple_tls',
+            'ssl_version'         => ' '
+          }
+        )
+
+        expect(config.adapter_options[:encryption][:tls_options]).not_to have_key(:ssl_version)
+      end
+    end
   end
 
   describe '#omniauth_options' do