Commit 8477e9e7 authored by Julien Tayon's avatar Julien Tayon
Browse files

[ldapfeed] add option to enable starttls on ldap servers

Modern ldap servers connection often use, or even require starttls.

branch : 3.26
parent 4ebfdf607b49
......@@ -118,6 +118,13 @@ to respond to rql queries). Leave empty for anonymous bind',
'help': 'additional filters to be set in the ldap query to find valid users',
'group': 'ldap-source', 'level': 2,
{'type': 'choice',
'choices': ('true', 'false'),
'default': 'false',
'help': 'Start tls on connection (before bind)',
'group': 'ldap-source', 'level': 1,
{'type' : 'string',
'default': 'uid',
......@@ -197,6 +204,7 @@ You can set multiple groups by separating them by a comma.',
self._authenticate = getattr(self, '_auth_%s' % self.authmode)
self.cnx_dn = typedconfig['data-cnx-dn']
self.cnx_pwd = typedconfig['data-cnx-password']
self.start_tls = typedconfig['start-tls'] == "true"
self.user_base_dn = str(typedconfig['user-base-dn'])
self.user_base_scope = LDAP_SCOPES[typedconfig['user-scope']]
self.user_login_attr = typedconfig['user-login-attr']
......@@ -285,6 +293,8 @@ You can set multiple groups by separating them by a comma.',
server, client_strategy=ldap3.RESTARTABLE, auto_referrals=False,
if self.start_tls:
# Now bind with the credentials given. Let exceptions propagate out.
if user is None:
......@@ -326,6 +336,9 @@ You can set multiple groups by separating them by a comma.',
if self._conn is None:
self._conn = self._connect()
ldapcnx = self._conn
if self.start_tls:
ldapcnx.start_tls()"ldap start_tls started for %s", self.uri)
if not, searchstr, search_scope=scope, attributes=set(attrs) - {'dn'}):
return []
result = []
......@@ -83,6 +83,8 @@ LDAP server connection options:
* `data-cnx-password`, password to use to open data connection to the
ldap (eg used to respond to rql queries)
* `start-tls`, starting TLS before bind (valid values: "true", "false")
If the LDAP server accepts anonymous binds, then it is possible to
leave data-cnx-dn and data-cnx-password empty. This is, however, quite
unlikely in practice. Beware that the LDAP server might hide attributes
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment