diff options
-rw-r--r-- | Authenticators/LDAP/LDAPauth.ini | 7 | ||||
-rw-r--r-- | Authenticators/LDAP/LDAPauth.py | 26 |
2 files changed, 29 insertions, 4 deletions
diff --git a/Authenticators/LDAP/LDAPauth.ini b/Authenticators/LDAP/LDAPauth.ini index fee5b7d..a0b22f5 100644 --- a/Authenticators/LDAP/LDAPauth.ini +++ b/Authenticators/LDAP/LDAPauth.ini @@ -30,10 +30,13 @@ display_attr = displayName group_cn = cn=mumble,ou=Groups,dc=example,dc=com group_attr = uniqueMember ; Uncomment and set below to provide more info from LDAP -; provide_info = true +; provide_info = True ; mail_attr = mail ; Uncomment to provide list of registered users from LDAP -; provide_users = true +; provide_users = True + +; Uncomment to use StartTLS without cert check +; use_start_tls = True ;Murmur configuration [murmur] diff --git a/Authenticators/LDAP/LDAPauth.py b/Authenticators/LDAP/LDAPauth.py index 93f1277..d5e2146 100644 --- a/Authenticators/LDAP/LDAPauth.py +++ b/Authenticators/LDAP/LDAPauth.py @@ -144,7 +144,8 @@ default = { 'ldap':(('ldap_uri', str, 'ldap://127.0.0.1'), ('group_attr', str, 'member'), ('provide_info', x2bool, False), ('mail_attr', str, 'mail'), - ('provide_users', x2bool, False)), + ('provide_users', x2bool, False), + ('use_start_tls', x2bool, False)), 'user':(('id_offset', int, 1000000000), ('reject_on_error', x2bool, True), @@ -444,12 +445,33 @@ def do_main_program(): # Otherwise, let's check the LDAP server. uid = None - ldap_conn = ldap.initialize(cfg.ldap.ldap_uri, 0) + + if cfg.ldap.use_start_tls: + # try StartTLS: global options + debug('use_start_tls is set, setting global option TLS_REQCERT = never') + ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER) + + ldap_trace = 0 # Change to 1 for more verbose trace + ldap_conn = ldap.initialize(cfg.ldap.ldap_uri, ldap_trace) + + if cfg.ldap.use_start_tls: + # try StartTLS: connection specific options + debug('use_start_tls is set, setting connection options X_TLS_*') + ldap_conn.set_option(ldap.OPT_PROTOCOL_VERSION, 3) + ldap_conn.set_option(ldap.OPT_X_TLS, ldap.OPT_X_TLS_DEMAND) + ldap_conn.set_option(ldap.OPT_X_TLS_DEMAND, True) + try: + ldap_conn.start_tls_s() + except Exception, e: + warning('could not initiate StartTLS, e = ' + str(e)) + return (AUTH_REFUSED, None, None) + if cfg.ldap.bind_dn: # Bind the functional account to search the directory. bind_dn = cfg.ldap.bind_dn bind_pass = cfg.ldap.bind_pass try: + debug('try to connect to ldap (bind_dn will be used)') ldap_conn.bind_s(bind_dn, bind_pass) except ldap.INVALID_CREDENTIALS: ldap_conn.unbind() |