ldaps WIP

bihealth · Mar 7, 2024 · c28b8ac · c28b8ac
1 parent 83f94d0
commit c28b8ac
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 4 deletions.
diff --git a/config/settings/base.py b/config/settings/base.py
@@ -326,16 +326,28 @@
     import ldap
     from django_auth_ldap.config import LDAPSearch
 
+    ldap.set_option(ldap.OPT_DEBUG_LEVEL, 255)
+
     # Default values
     LDAP_DEFAULT_CONN_OPTIONS = {ldap.OPT_REFERRALS: 0}
     LDAP_DEFAULT_FILTERSTR = "(sAMAccountName=%(user)s)"
     LDAP_DEFAULT_ATTR_MAP = {"first_name": "givenName", "last_name": "sn", "email": "mail"}
 
     # Primary LDAP server
-    AUTH_LDAP_SERVER_URI = env.str("AUTH_LDAP_SERVER_URI", None)
-    AUTH_LDAP_BIND_DN = env.str("AUTH_LDAP_BIND_DN", None)
-    AUTH_LDAP_BIND_PASSWORD = env.str("AUTH_LDAP_BIND_PASSWORD", None)
-    AUTH_LDAP_CONNECTION_OPTIONS = LDAP_DEFAULT_CONN_OPTIONS
+    AUTH_LDAP_SERVER_URI = env.str('AUTH_LDAP_SERVER_URI', None)
+    AUTH_LDAP_BIND_DN = env.str('AUTH_LDAP_BIND_DN', None)
+    AUTH_LDAP_BIND_PASSWORD = env.str('AUTH_LDAP_BIND_PASSWORD', None)
+    AUTH_LDAP_START_TLS = env.str('AUTH_LDAP_START_TLS', False)
+    AUTH_LDAP_CA_CERT_FILE = env.str('AUTH_LDAP_CA_CERT_FILE', None)
+    AUTH_LDAP_CONNECTION_OPTIONS = {**LDAP_DEFAULT_CONN_OPTIONS}
+    if AUTH_LDAP_CA_CERT_FILE is not None:
+        AUTH_LDAP_CONNECTION_OPTIONS[
+            ldap.OPT_X_TLS_CACERTFILE
+        ] = AUTH_LDAP_CA_CERT_FILE
+        AUTH_LDAP_CONNECTION_OPTIONS[ldap.OPT_X_TLS_NEWCTX] = 0
+    AUTH_LDAP_USER_FILTER = env.str(
+        'AUTH_LDAP_USER_FILTER', '(sAMAccountName=%(user)s)'
+    )
 
     AUTH_LDAP_USER_SEARCH_BASE = env.str("AUTH_LDAP_USER_SEARCH_BASE", None)
     AUTH_LDAP_USER_SEARCH = LDAPSearch(

diff --git a/fileboxes/views.py b/fileboxes/views.py
@@ -269,6 +269,9 @@ def _form_valid_ldap(self, accounts):
             ldap_conn = ldap.initialize(settings.AUTH_LDAP_SERVER_URI)
             ldap_conn.set_option(ldap.OPT_REFERRALS, ldap.OPT_OFF)
             ldap_conn.set_option(ldap.OPT_TIMEOUT, 5)
+            ldap_conn.set_option(ldap.OPT_X_TLS_CACERTFILE, AUTH_LDAP_CA_CERT_FILE)
+            ldap_conn.set_option(ldap.OPT_X_TLS_NEWCTX, 0)
+            ldap_conn.start_tls_s()
             ldap_conn.simple_bind_s(settings.AUTH_LDAP_BIND_DN, settings.AUTH_LDAP_BIND_PASSWORD)
             ldap_conns.append(
                 (settings.AUTH_LDAP_USERNAME_DOMAIN, settings.AUTH_LDAP_USER_SEARCH_BASE, ldap_conn)