diff options
| author | Maxim Devaev <[email protected]> | 2023-04-20 17:27:02 +0300 |
|---|---|---|
| committer | Maxim Devaev <[email protected]> | 2023-04-20 17:27:02 +0300 |
| commit | 5bb3488281b6503f3c27842aa2bf4e2c6676859b (patch) | |
| tree | b7850931a61d37f07cd06b999b52b34995394183 | |
| parent | 1209ddeb8dc342aa5591a8eb5c3d3468e2e976b2 (diff) | |
ldap auth: tls support
| -rw-r--r-- | kvmd/plugins/auth/ldap.py | 20 |
1 files changed, 15 insertions, 5 deletions
diff --git a/kvmd/plugins/auth/ldap.py b/kvmd/plugins/auth/ldap.py index 50eca9b6..255b7cba 100644 --- a/kvmd/plugins/auth/ldap.py +++ b/kvmd/plugins/auth/ldap.py @@ -25,6 +25,7 @@ import ldap from ...yamlconf import Option from ...validators.basic import valid_stripped_string_not_empty +from ...validators.basic import valid_bool from ...validators.basic import valid_int_f1 from ...logging import get_logger @@ -40,6 +41,7 @@ class Plugin(BaseAuthService): def __init__( # pylint: disable=super-init-not-called self, url: str, + verify: bool, base: str, group: str, user_domain: str, @@ -47,6 +49,7 @@ class Plugin(BaseAuthService): ) -> None: self.__url = url + self.__verify = verify self.__base = base self.__group = group self.__user_domain = user_domain @@ -55,9 +58,10 @@ class Plugin(BaseAuthService): @classmethod def get_plugin_options(cls) -> dict: return { - "url": Option("", type=valid_stripped_string_not_empty), - "base": Option("", type=valid_stripped_string_not_empty), - "group": Option("", type=valid_stripped_string_not_empty), + "url": Option("", type=valid_stripped_string_not_empty), + "verify": Option(True, type=valid_bool), + "base": Option("", type=valid_stripped_string_not_empty), + "group": Option("", type=valid_stripped_string_not_empty), "user_domain": Option(""), "timeout": Option(5, type=valid_int_f1), } @@ -73,6 +77,12 @@ class Plugin(BaseAuthService): conn = ldap.initialize(self.__url) conn.set_option(ldap.OPT_REFERRALS, 0) conn.set_option(ldap.OPT_TIMEOUT, self.__timeout) + if self.__url.lower().startswith("ldaps://"): + conn.set_option(ldap.OPT_X_TLS, ldap.OPT_X_TLS_DEMAND) + conn.set_option(ldap.OPT_X_TLS_DEMAND, True) + if not self.__verify: + conn.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER) + conn.set_option(ldap.OPT_X_TLS_NEWCTX, 0) conn.simple_bind_s(user, passwd) for (dn, attrs) in (conn.search_st( base=self.__base, @@ -85,8 +95,8 @@ class Plugin(BaseAuthService): return True except ldap.INVALID_CREDENTIALS: pass - except ldap.SERVER_DOWN: - get_logger().error("LDAP server is down") + except ldap.SERVER_DOWN as err: + get_logger().error("LDAP server is down: %s", tools.efmt(err)) except Exception as err: get_logger().error("Unexpected LDAP error: %s", tools.efmt(err)) finally: |