oss/Radicale
oss/Radicale
1
0
Fork 0
mirror of https://github.com/Kozea/Radicale.git synced 2025-10-03 21:20:45 +00:00
Code Wiki Activity

LDAP auth: _login2: re-bind as user within same connection

Browse source 
Python's ldap module, which is modelled along OpenLDAP's API, allows us to
keep the connection and doing a new bind as a different user, superseding
the previous bind.
Use this to simplify the code and avoid duplication.
This commit is contained in:
Peter Marschall 2025-09-27 20:31:57 +02:00
parent 2d7a9b001c
commit 44c64d70f5
1 changed files with 0 additions and 23 deletions
Download patch file Download diff file Expand all files Collapse all files

23
radicale/auth/ldap.py
View file

@ -244,34 +244,11 @@ class Auth(auth.BaseAuth):
for dn, entry in res: for dn, entry in res:
groupDNs.append(dn) groupDNs.append(dn)
"""Close LDAP connection"""
conn.unbind()
except Exception as e: except Exception as e:
raise RuntimeError(f"Invalid LDAP configuration:{e}") raise RuntimeError(f"Invalid LDAP configuration:{e}")
try: try:
"""Bind as user to authenticate""" """Bind as user to authenticate"""
conn = self.ldap.initialize(self._ldap_uri)
conn.protocol_version = self.ldap.VERSION3
conn.set_option(self.ldap.OPT_REFERRALS, 0)
if self._ldap_security in ("tls", "starttls"):
"""certificate validation mode"""
if self._ldap_ssl_verify_mode == ssl.CERT_REQUIRED:
conn.set_option(self.ldap.OPT_X_TLS_REQUIRE_CERT, self.ldap.OPT_X_TLS_DEMAND)
elif self._ldap_ssl_verify_mode == ssl.CERT_OPTIONAL:
conn.set_option(self.ldap.OPT_X_TLS_REQUIRE_CERT, self.ldap.OPT_X_TLS_ALLOW)
else:
conn.set_option(self.ldap.OPT_X_TLS_REQUIRE_CERT, self.ldap.OPT_X_TLS_NONE)
"""CA file to validate certificate against"""
if self._ldap_ssl_ca_file:
conn.set_option(self.ldap.OPT_X_TLS_CACERTFILE, self._ldap_ssl_ca_file)
"""create TLS context- this must be the last TLS setting"""
conn.set_option(self.ldap.OPT_X_TLS_NEWCTX, self.ldap.OPT_ON)
if self._ldap_security == "starttls":
conn.start_tls_s()
conn.simple_bind_s(user_dn, password) conn.simple_bind_s(user_dn, password)
if self._ldap_user_attr: if self._ldap_user_attr:
if user_entry[1][self._ldap_user_attr]: if user_entry[1][self._ldap_user_attr]: