StartTLS support without cert for LDAP authenticator

Fixes #11
author: Andre Klausnitzer <klausnitzer@b1-systems.de> 2015-08-10 17:51:12 +0300
committer: Stefan Hacker <dd0t@users.sourceforge.net> 2016-03-06 18:36:58 +0300
commit: 5a227f4be04c3f0422e33a1b0b078bff854435e3 (patch)
tree: ac24b2301f148d4c3fd2085af70aebd834dcec91
parent: 8a578cb2ea8ed70ed9e5c7b7685795bc2311fd2f (diff)
2 files changed, 29 insertions, 4 deletions
diff --git a/Authenticators/LDAP/LDAPauth.ini b/Authenticators/LDAP/LDAPauth.ini
index fee5b7d..a0b22f5 100644
--- a/Authenticators/LDAP/LDAPauth.ini
+++ b/Authenticators/LDAP/LDAPauth.ini
@@ -30,10 +30,13 @@ display_attr = displayName
 group_cn = cn=mumble,ou=Groups,dc=example,dc=com
 group_attr = uniqueMember
 ; Uncomment and set below to provide more info from LDAP
-; provide_info = true
+; provide_info = True
 ; mail_attr = mail
 ; Uncomment to provide list of registered users from LDAP
-; provide_users = true
+; provide_users = True
+
+; Uncomment to use StartTLS without cert check
+; use_start_tls = True
 
 ;Murmur configuration
 [murmur]
diff --git a/Authenticators/LDAP/LDAPauth.py b/Authenticators/LDAP/LDAPauth.py
index 93f1277..d5e2146 100644
--- a/Authenticators/LDAP/LDAPauth.py
+++ b/Authenticators/LDAP/LDAPauth.py
@@ -144,7 +144,8 @@ default = { 'ldap':(('ldap_uri', str, 'ldap://127.0.0.1'),
                     ('group_attr', str, 'member'),
                     ('provide_info', x2bool, False),
                     ('mail_attr', str, 'mail'),
-                    ('provide_users', x2bool, False)),
+                    ('provide_users', x2bool, False),
+                    ('use_start_tls', x2bool, False)),
 
             'user':(('id_offset', int, 1000000000),
                     ('reject_on_error', x2bool, True),
@@ -444,12 +445,33 @@ def do_main_program():
 
             # Otherwise, let's check the LDAP server.
             uid = None
-            ldap_conn = ldap.initialize(cfg.ldap.ldap_uri, 0)
+
+            if cfg.ldap.use_start_tls:
+                # try StartTLS: global options
+                debug('use_start_tls is set, setting global option TLS_REQCERT = never')
+                ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
+
+            ldap_trace = 0 # Change to 1 for more verbose trace
+            ldap_conn = ldap.initialize(cfg.ldap.ldap_uri, ldap_trace)
+
+            if cfg.ldap.use_start_tls:
+                # try StartTLS: connection specific options
+                debug('use_start_tls is set, setting connection options X_TLS_*')
+                ldap_conn.set_option(ldap.OPT_PROTOCOL_VERSION, 3)
+                ldap_conn.set_option(ldap.OPT_X_TLS, ldap.OPT_X_TLS_DEMAND)
+                ldap_conn.set_option(ldap.OPT_X_TLS_DEMAND, True)
+                try:
+                    ldap_conn.start_tls_s()
+                except Exception, e:
+                    warning('could not initiate StartTLS, e = ' + str(e))
+                    return (AUTH_REFUSED, None, None)
+
             if cfg.ldap.bind_dn:
                 # Bind the functional account to search the directory.
                 bind_dn = cfg.ldap.bind_dn
                 bind_pass = cfg.ldap.bind_pass
                 try:
+                    debug('try to connect to ldap (bind_dn will be used)')
                     ldap_conn.bind_s(bind_dn, bind_pass)
                 except ldap.INVALID_CREDENTIALS: 
                     ldap_conn.unbind()
author	Andre Klausnitzer <klausnitzer@b1-systems.de>	2015-08-10 17:51:12 +0300
committer	Stefan Hacker <dd0t@users.sourceforge.net>	2016-03-06 18:36:58 +0300
commit	5a227f4be04c3f0422e33a1b0b078bff854435e3 (patch)
tree	ac24b2301f148d4c3fd2085af70aebd834dcec91
parent	8a578cb2ea8ed70ed9e5c7b7685795bc2311fd2f (diff)