From b805393bd9230b74fe1a8862e59ce263eb8f5df3 Mon Sep 17 00:00:00 2001 From: gajus Date: Mon, 21 Apr 2025 21:26:58 +0200 Subject: [PATCH] Standardize LDAP security configuration naming --- DOCUMENTATION.md | 8 ++++---- config | 8 ++++---- radicale/auth/ldap.py | 28 ++++++++++++++-------------- radicale/config.py | 8 ++++---- 4 files changed, 26 insertions(+), 26 deletions(-) diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md index bd31773b..19304fd9 100644 --- a/DOCUMENTATION.md +++ b/DOCUMENTATION.md @@ -1045,13 +1045,13 @@ Default: (unset) _(>= 3.3.0)_ -Use ssl on the ldap connection (soon to be deprecated, use ldap_encryption instead) +Use ssl on the ldap connection (soon to be deprecated, use ldap_security instead) -##### ldap_encryption +##### ldap_security _(>= 3.5.2)_ -Use encryption on the ldap connection. none, ssl, start_tls +Use encryption on the ldap connection. none, tls, starttls Default: none @@ -1059,7 +1059,7 @@ Default: none _(>= 3.3.0)_ -The certificate verification mode. Works for ssl and start_tls. NONE, OPTIONAL or REQUIRED +The certificate verification mode. Works for tls and starttls. NONE, OPTIONAL or REQUIRED Default: REQUIRED diff --git a/config b/config index dbab07bd..0c926c7b 100644 --- a/config +++ b/config @@ -102,13 +102,13 @@ #ldap_user_attribute = cn # Use ssl on the ldap connection -# Soon to be deprecated, use ldap_encryption instead +# Soon to be deprecated, use ldap_security instead #ldap_use_ssl = False -# the encryption mode to be used: ssl, start_tls, default is none -#ldap_encryption = none +# the encryption mode to be used: tls, starttls, default is none +#ldap_security = none -# The certificate verification mode. Works for ssl and start_tls. NONE, OPTIONAL, default is REQUIRED +# The certificate verification mode. Works for ssl and starttls. NONE, OPTIONAL, default is REQUIRED #ldap_ssl_verify_mode = REQUIRED # The path to the CA file in pem format which is used to certificate the server certificate diff --git a/radicale/auth/ldap.py b/radicale/auth/ldap.py index 7d90e4ff..3ca4ddb3 100644 --- a/radicale/auth/ldap.py +++ b/radicale/auth/ldap.py @@ -27,8 +27,8 @@ Following parameters are needed in the configuration: ldap_groups_attribute The attribute containing group memberships in the LDAP user entry Following parameters controls SSL connections: ldap_use_ssl If ssl encryption should be used (to be deprecated) - ldap_encryption The encryption mode to be used: *none*|ssl|start_tls - ldap_ssl_verify_mode The certificate verification mode. Works for ssl and start_tls. NONE, OPTIONAL, default is REQUIRED + ldap_security The encryption mode to be used: *none*|tls|starttls + ldap_ssl_verify_mode The certificate verification mode. Works for tls and starttls. NONE, OPTIONAL, default is REQUIRED ldap_ssl_ca_file """ @@ -49,7 +49,7 @@ class Auth(auth.BaseAuth): _ldap_groups_attr: str _ldap_module_version: int = 3 _ldap_use_ssl: bool = False - _ldap_encryption: str = "none" + _ldap_security: str = "none" _ldap_ssl_verify_mode: int = ssl.CERT_REQUIRED _ldap_ssl_ca_file: str = "" @@ -84,12 +84,12 @@ class Auth(auth.BaseAuth): self._ldap_secret = file.read().rstrip('\n') if self._ldap_module_version == 3: self._ldap_use_ssl = configuration.get("auth", "ldap_use_ssl") - self._ldap_encryption = configuration.get("auth", "ldap_encryption") - self._use_encryption = self._ldap_use_ssl or self._ldap_encryption in ("ssl", "start_tls") - if self._ldap_use_ssl and self._ldap_encryption == "start_tls": - raise RuntimeError("Cannot set both 'ldap_use_ssl = True' and 'ldap_encryption' = 'start_tls'") + self._ldap_security = configuration.get("auth", "ldap_security") + self._use_encryption = self._ldap_use_ssl or self._ldap_security in ("tls", "starttls") + if self._ldap_use_ssl and self._ldap_security == "starttls": + raise RuntimeError("Cannot set both 'ldap_use_ssl = True' and 'ldap_security' = 'starttls'") if self._ldap_use_ssl: - logger.warning("Configuration uses soon to be deprecated 'ldap_use_ssl', use 'ldap_encryption' ('none', 'ssl', 'start_tls') instead.") + logger.warning("Configuration uses soon to be deprecated 'ldap_use_ssl', use 'ldap_security' ('none', 'tls', 'starttls') instead.") if self._use_encryption: self._ldap_ssl_ca_file = configuration.get("auth", "ldap_ssl_ca_file") tmp = configuration.get("auth", "ldap_ssl_verify_mode") @@ -122,7 +122,7 @@ class Auth(auth.BaseAuth): logger.error("auth.ldap_secret : (not provided)") raise RuntimeError("LDAP authentication requires ldap_secret for ldap_reader_dn") logger.info("auth.ldap_use_ssl : %s" % self._ldap_use_ssl) - logger.info("auth.ldap_encryption : %s" % self._ldap_encryption) + logger.info("auth.ldap_security : %s" % self._ldap_security) if self._use_encryption: logger.info("auth.ldap_ssl_verify_mode : %s" % self._ldap_ssl_verify_mode) if self._ldap_ssl_ca_file: @@ -206,7 +206,7 @@ class Auth(auth.BaseAuth): validate=self._ldap_ssl_verify_mode, ca_certs_file=self._ldap_ssl_ca_file ) - if self._ldap_use_ssl or self._ldap_encryption == "ssl": + if self._ldap_use_ssl or self._ldap_security == "tls": logger.debug("_login3 using ssl (reader)") server = self.ldap3.Server(self._ldap_uri, use_ssl=True, tls=tls) else: @@ -216,8 +216,8 @@ class Auth(auth.BaseAuth): server = self.ldap3.Server(self._ldap_uri) try: conn = self.ldap3.Connection(server, self._ldap_reader_dn, password=self._ldap_secret, auto_bind=False, raise_exceptions=True) - if self._ldap_encryption == "start_tls": - logger.debug("_login3 using start_tls (reader)") + if self._ldap_security == "starttls": + logger.debug("_login3 using starttls (reader)") conn.start_tls() except self.ldap3.core.exceptions.LDAPStartTLSError as e: raise RuntimeError(f"_login3 StartTLS Error: {e}") @@ -252,8 +252,8 @@ class Auth(auth.BaseAuth): """Try to bind as the user itself""" try: conn = self.ldap3.Connection(server, user_dn, password=password, auto_bind=False) - if self._ldap_encryption == "start_tls": - logger.debug("_login3 using start_tls (user)") + if self._ldap_security == "starttls": + logger.debug("_login3 using starttls (user)") conn.start_tls() except self.ldap3.core.exceptions.LDAPStartTLSError as e: raise RuntimeError(f"_login3 StartTLS Error: {e}") diff --git a/radicale/config.py b/radicale/config.py index 51ed729a..cb2285c3 100644 --- a/radicale/config.py +++ b/radicale/config.py @@ -297,15 +297,15 @@ DEFAULT_CONFIG_SCHEMA: types.CONFIG_SCHEMA = OrderedDict([ "type": str}), ("ldap_use_ssl", { "value": "False", - "help": "Use ssl on the ldap connection. Soon to be deprecated, use ldap_encryption instead", + "help": "Use ssl on the ldap connection. Soon to be deprecated, use ldap_security instead", "type": bool}), - ("ldap_encryption", { + ("ldap_security", { "value": "none", - "help": "the encryption mode to be used: *none*|ssl|start_tls", + "help": "the encryption mode to be used: *none*|tls|starttls", "type": str}), ("ldap_ssl_verify_mode", { "value": "REQUIRED", - "help": "The certificate verification mode. Works for ssl and start_tls. NONE, OPTIONAL, default is REQUIRED", + "help": "The certificate verification mode. Works for tls and starttls. NONE, OPTIONAL, default is REQUIRED", "type": str}), ("ldap_ssl_ca_file", { "value": "",