Commit f8b936b4 authored by Julien Tayon's avatar Julien Tayon
Browse files

[ldapfeed] add option to enable starttls on ldap servers

Modern ldap servers connection often use, or even require starttls.

--HG--
branch : 3.27
parent d18bd998852c
......@@ -112,6 +112,13 @@ to respond to rql queries). Leave empty for anonymous bind',
'help': 'additional filters to be set in the ldap query to find valid users',
'group': 'ldap-source', 'level': 2,
}),
('start-tls',
{'type': 'choice',
'choices': ('true', 'false'),
'default': 'false',
'help': 'Start tls on connection (before bind)',
'group': 'ldap-source', 'level': 1,
}),
('user-login-attr',
{'type': 'string',
'default': 'uid',
......@@ -191,6 +198,7 @@ You can set multiple groups by separating them by a comma.',
self._authenticate = getattr(self, '_auth_%s' % self.authmode)
self.cnx_dn = typedconfig['data-cnx-dn']
self.cnx_pwd = typedconfig['data-cnx-password']
self.start_tls = typedconfig['start-tls'] == "true"
self.user_base_dn = str(typedconfig['user-base-dn'])
self.user_base_scope = LDAP_SCOPES[typedconfig['user-scope']]
self.user_login_attr = typedconfig['user-login-attr']
......@@ -279,6 +287,8 @@ You can set multiple groups by separating them by a comma.',
server, client_strategy=ldap3.RESTARTABLE, auto_referrals=False,
raise_exceptions=True,
**kwargs)
if self.start_tls:
conn.start_tls()
# Now bind with the credentials given. Let exceptions propagate out.
if user is None:
......@@ -320,6 +330,9 @@ You can set multiple groups by separating them by a comma.',
if self._conn is None:
self._conn = self._connect()
ldapcnx = self._conn
if self.start_tls:
ldapcnx.start_tls()
self.info("ldap start_tls started for %s", self.uri)
if not ldapcnx.search(base, searchstr, search_scope=scope, attributes=set(attrs) - {'dn'}):
return []
result = []
......
......@@ -83,6 +83,8 @@ LDAP server connection options:
* `data-cnx-password`, password to use to open data connection to the
ldap (eg used to respond to rql queries)
* `start-tls`, starting TLS before bind (valid values: "true", "false")
If the LDAP server accepts anonymous binds, then it is possible to
leave data-cnx-dn and data-cnx-password empty. This is, however, quite
unlikely in practice. Beware that the LDAP server might hide attributes
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment