diff options
Diffstat (limited to 'Authenticators/LDAP/LDAPauth.py')
| -rw-r--r-- | Authenticators/LDAP/LDAPauth.py | 26 |
1 files changed, 24 insertions, 2 deletions
diff --git a/Authenticators/LDAP/LDAPauth.py b/Authenticators/LDAP/LDAPauth.py index 93f1277..d5e2146 100644 --- a/Authenticators/LDAP/LDAPauth.py +++ b/Authenticators/LDAP/LDAPauth.py @@ -144,7 +144,8 @@ default = { 'ldap':(('ldap_uri', str, 'ldap://127.0.0.1'), ('group_attr', str, 'member'), ('provide_info', x2bool, False), ('mail_attr', str, 'mail'), - ('provide_users', x2bool, False)), + ('provide_users', x2bool, False), + ('use_start_tls', x2bool, False)), 'user':(('id_offset', int, 1000000000), ('reject_on_error', x2bool, True), @@ -444,12 +445,33 @@ def do_main_program(): # Otherwise, let's check the LDAP server. uid = None - ldap_conn = ldap.initialize(cfg.ldap.ldap_uri, 0) + + if cfg.ldap.use_start_tls: + # try StartTLS: global options + debug('use_start_tls is set, setting global option TLS_REQCERT = never') + ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER) + + ldap_trace = 0 # Change to 1 for more verbose trace + ldap_conn = ldap.initialize(cfg.ldap.ldap_uri, ldap_trace) + + if cfg.ldap.use_start_tls: + # try StartTLS: connection specific options + debug('use_start_tls is set, setting connection options X_TLS_*') + ldap_conn.set_option(ldap.OPT_PROTOCOL_VERSION, 3) + ldap_conn.set_option(ldap.OPT_X_TLS, ldap.OPT_X_TLS_DEMAND) + ldap_conn.set_option(ldap.OPT_X_TLS_DEMAND, True) + try: + ldap_conn.start_tls_s() + except Exception, e: + warning('could not initiate StartTLS, e = ' + str(e)) + return (AUTH_REFUSED, None, None) + if cfg.ldap.bind_dn: # Bind the functional account to search the directory. bind_dn = cfg.ldap.bind_dn bind_pass = cfg.ldap.bind_pass try: + debug('try to connect to ldap (bind_dn will be used)') ldap_conn.bind_s(bind_dn, bind_pass) except ldap.INVALID_CREDENTIALS: ldap_conn.unbind() |