[PATCH 5 of 5 3.27] [ldapfeed] add option to enable starttls on ldap servers

Nicola Spanti nicola.spanti at logilab.fr
Thu Feb 27 11:03:45 CET 2020


The stack looks good to me, but nchauvat proposed a change on patch 3 
and I did not test it too.

Le 26/02/2020 à 16:14, Philippe Pepiot a écrit :
> # HG changeset patch
> # User Julien Tayon <julien.tayon at logilab.fr>
> # Date 1582669890 -3600
> #      Tue Feb 25 23:31:30 2020 +0100
> # Branch 3.27
> # Node ID e6af21fdf8c4532507e6b9c807661770adbd3689
> # Parent  d6efa58b3bf9e0e0a5b47a3a1e82837fab8a5371
> # Available At https://hg.logilab.org/review/cubicweb
> #              hg pull https://hg.logilab.org/review/cubicweb -r e6af21fdf8c4
> [ldapfeed] add option to enable starttls on ldap servers
> 
> Modern ldap servers connection often use, or even require starttls.
> 
> diff --git a/cubicweb/server/sources/ldapfeed.py b/cubicweb/server/sources/ldapfeed.py
> --- a/cubicweb/server/sources/ldapfeed.py
> +++ b/cubicweb/server/sources/ldapfeed.py
> @@ -112,6 +112,13 @@ to respond to rql queries). Leave empty
>             'help': 'additional filters to be set in the ldap query to find valid users',
>             'group': 'ldap-source', 'level': 2,
>             }),
> +        ('start-tls',
> +         {'type': 'choice',
> +          'choices': ('true', 'false'),
> +          'default': 'false',
> +          'help': 'Start tls on connection (before bind)',
> +          'group': 'ldap-source', 'level': 1,
> +          }),
>           ('user-login-attr',
>            {'type': 'string',
>             'default': 'uid',
> @@ -191,6 +198,7 @@ You can set multiple groups by separatin
>           self._authenticate = getattr(self, '_auth_%s' % self.authmode)
>           self.cnx_dn = typedconfig['data-cnx-dn']
>           self.cnx_pwd = typedconfig['data-cnx-password']
> +        self.start_tls = typedconfig['start-tls'] == "true"
>           self.user_base_dn = str(typedconfig['user-base-dn'])
>           self.user_base_scope = LDAP_SCOPES[typedconfig['user-scope']]
>           self.user_login_attr = typedconfig['user-login-attr']
> @@ -279,6 +287,8 @@ You can set multiple groups by separatin
>               server, client_strategy=ldap3.RESTARTABLE, auto_referrals=False,
>               raise_exceptions=True,
>               **kwargs)
> +        if self.start_tls:
> +            conn.start_tls()
>   
>           # Now bind with the credentials given. Let exceptions propagate out.
>           if user is None:
> @@ -320,6 +330,9 @@ You can set multiple groups by separatin
>           if self._conn is None:
>               self._conn = self._connect()
>           ldapcnx = self._conn
> +        if self.start_tls:
> +            ldapcnx.start_tls()
> +            self.info("ldap start_tls started for %s", self.uri)
>           if not ldapcnx.search(base, searchstr, search_scope=scope, attributes=set(attrs) - {'dn'}):
>               return []
>           result = []
> diff --git a/doc/book/admin/ldap.rst b/doc/book/admin/ldap.rst
> --- a/doc/book/admin/ldap.rst
> +++ b/doc/book/admin/ldap.rst
> @@ -83,6 +83,8 @@ LDAP server connection options:
>   * `data-cnx-password`, password to use to open data connection to the
>     ldap (eg used to respond to rql queries)
>   
> +* `start-tls`, starting TLS before bind (valid values: "true", "false")
> +
>   If the LDAP server accepts anonymous binds, then it is possible to
>   leave data-cnx-dn and data-cnx-password empty. This is, however, quite
>   unlikely in practice. Beware that the LDAP server might hide attributes
> 



More information about the cubicweb-devel mailing list