[PATCH 5 of 5 3.27] [ldapfeed] add option to enable starttls on ldap servers

Philippe Pepiot philippe.pepiot at logilab.fr
Wed Feb 26 16:14:28 CET 2020


# HG changeset patch
# User Julien Tayon <julien.tayon at logilab.fr>
# Date 1582669890 -3600
#      Tue Feb 25 23:31:30 2020 +0100
# Branch 3.27
# Node ID e6af21fdf8c4532507e6b9c807661770adbd3689
# Parent  d6efa58b3bf9e0e0a5b47a3a1e82837fab8a5371
# Available At https://hg.logilab.org/review/cubicweb
#              hg pull https://hg.logilab.org/review/cubicweb -r e6af21fdf8c4
[ldapfeed] add option to enable starttls on ldap servers

Modern ldap servers connection often use, or even require starttls.

diff --git a/cubicweb/server/sources/ldapfeed.py b/cubicweb/server/sources/ldapfeed.py
--- a/cubicweb/server/sources/ldapfeed.py
+++ b/cubicweb/server/sources/ldapfeed.py
@@ -112,6 +112,13 @@ to respond to rql queries). Leave empty 
           'help': 'additional filters to be set in the ldap query to find valid users',
           'group': 'ldap-source', 'level': 2,
           }),
+        ('start-tls',
+         {'type': 'choice',
+          'choices': ('true', 'false'),
+          'default': 'false',
+          'help': 'Start tls on connection (before bind)',
+          'group': 'ldap-source', 'level': 1,
+          }),
         ('user-login-attr',
          {'type': 'string',
           'default': 'uid',
@@ -191,6 +198,7 @@ You can set multiple groups by separatin
         self._authenticate = getattr(self, '_auth_%s' % self.authmode)
         self.cnx_dn = typedconfig['data-cnx-dn']
         self.cnx_pwd = typedconfig['data-cnx-password']
+        self.start_tls = typedconfig['start-tls'] == "true"
         self.user_base_dn = str(typedconfig['user-base-dn'])
         self.user_base_scope = LDAP_SCOPES[typedconfig['user-scope']]
         self.user_login_attr = typedconfig['user-login-attr']
@@ -279,6 +287,8 @@ You can set multiple groups by separatin
             server, client_strategy=ldap3.RESTARTABLE, auto_referrals=False,
             raise_exceptions=True,
             **kwargs)
+        if self.start_tls:
+            conn.start_tls()
 
         # Now bind with the credentials given. Let exceptions propagate out.
         if user is None:
@@ -320,6 +330,9 @@ You can set multiple groups by separatin
         if self._conn is None:
             self._conn = self._connect()
         ldapcnx = self._conn
+        if self.start_tls:
+            ldapcnx.start_tls()
+            self.info("ldap start_tls started for %s", self.uri)
         if not ldapcnx.search(base, searchstr, search_scope=scope, attributes=set(attrs) - {'dn'}):
             return []
         result = []
diff --git a/doc/book/admin/ldap.rst b/doc/book/admin/ldap.rst
--- a/doc/book/admin/ldap.rst
+++ b/doc/book/admin/ldap.rst
@@ -83,6 +83,8 @@ LDAP server connection options:
 * `data-cnx-password`, password to use to open data connection to the
   ldap (eg used to respond to rql queries)
 
+* `start-tls`, starting TLS before bind (valid values: "true", "false")
+
 If the LDAP server accepts anonymous binds, then it is possible to
 leave data-cnx-dn and data-cnx-password empty. This is, however, quite
 unlikely in practice. Beware that the LDAP server might hide attributes




More information about the cubicweb-devel mailing list