oss/Radicale
oss/Radicale
1
0
Fork 0
mirror of https://github.com/Kozea/Radicale.git synced 2025-06-26 16:45:52 +00:00
Code Wiki Activity

Standardize LDAP security configuration naming

Browse source
This commit is contained in:
gajus 2025-04-21 21:26:58 +02:00
parent e6f0d7f48b
commit b805393bd9
4 changed files with 26 additions and 26 deletions
Download patch file Download diff file Expand all files Collapse all files

28
radicale/auth/ldap.py
View file

@ -27,8 +27,8 @@ Following parameters are needed in the configuration:
ldap_groups_attribute The attribute containing group memberships in the LDAP user entry
Following parameters controls SSL connections:
ldap_use_ssl If ssl encryption should be used (to be deprecated)
ldap_encryption The encryption mode to be used: *none*|ssl|start_tls
ldap_ssl_verify_mode The certificate verification mode. Works for ssl and start_tls. NONE, OPTIONAL, default is REQUIRED
ldap_security The encryption mode to be used: *none*|tls|starttls
ldap_ssl_verify_mode The certificate verification mode. Works for tls and starttls. NONE, OPTIONAL, default is REQUIRED
ldap_ssl_ca_file
"""
@ -49,7 +49,7 @@ class Auth(auth.BaseAuth):
_ldap_groups_attr: str
_ldap_module_version: int = 3
_ldap_use_ssl: bool = False
_ldap_encryption: str = "none"
_ldap_security: str = "none"
_ldap_ssl_verify_mode: int = ssl.CERT_REQUIRED
_ldap_ssl_ca_file: str = ""
@ -84,12 +84,12 @@ class Auth(auth.BaseAuth):
self._ldap_secret = file.read().rstrip('\n')
if self._ldap_module_version == 3:
self._ldap_use_ssl = configuration.get("auth", "ldap_use_ssl")
self._ldap_encryption = configuration.get("auth", "ldap_encryption")
self._use_encryption = self._ldap_use_ssl or self._ldap_encryption in ("ssl", "start_tls")
if self._ldap_use_ssl and self._ldap_encryption == "start_tls":
raise RuntimeError("Cannot set both 'ldap_use_ssl = True' and 'ldap_encryption' = 'start_tls'")
self._ldap_security = configuration.get("auth", "ldap_security")
self._use_encryption = self._ldap_use_ssl or self._ldap_security in ("tls", "starttls")
if self._ldap_use_ssl and self._ldap_security == "starttls":
raise RuntimeError("Cannot set both 'ldap_use_ssl = True' and 'ldap_security' = 'starttls'")
if self._ldap_use_ssl:
logger.warning("Configuration uses soon to be deprecated 'ldap_use_ssl', use 'ldap_encryption' ('none', 'ssl', 'start_tls') instead.")
logger.warning("Configuration uses soon to be deprecated 'ldap_use_ssl', use 'ldap_security' ('none', 'tls', 'starttls') instead.")
if self._use_encryption:
self._ldap_ssl_ca_file = configuration.get("auth", "ldap_ssl_ca_file")
tmp = configuration.get("auth", "ldap_ssl_verify_mode")
@ -122,7 +122,7 @@ class Auth(auth.BaseAuth):
logger.error("auth.ldap_secret : (not provided)")
raise RuntimeError("LDAP authentication requires ldap_secret for ldap_reader_dn")
logger.info("auth.ldap_use_ssl : %s" % self._ldap_use_ssl)
logger.info("auth.ldap_encryption : %s" % self._ldap_encryption)
logger.info("auth.ldap_security : %s" % self._ldap_security)
if self._use_encryption:
logger.info("auth.ldap_ssl_verify_mode : %s" % self._ldap_ssl_verify_mode)
if self._ldap_ssl_ca_file:
@ -206,7 +206,7 @@ class Auth(auth.BaseAuth):
validate=self._ldap_ssl_verify_mode,
ca_certs_file=self._ldap_ssl_ca_file
)
if self._ldap_use_ssl or self._ldap_encryption == "ssl":
if self._ldap_use_ssl or self._ldap_security == "tls":
logger.debug("_login3 using ssl (reader)")
server = self.ldap3.Server(self._ldap_uri, use_ssl=True, tls=tls)
else:
@ -216,8 +216,8 @@ class Auth(auth.BaseAuth):
server = self.ldap3.Server(self._ldap_uri)
try:
conn = self.ldap3.Connection(server, self._ldap_reader_dn, password=self._ldap_secret, auto_bind=False, raise_exceptions=True)
if self._ldap_encryption == "start_tls":
logger.debug("_login3 using start_tls (reader)")
if self._ldap_security == "starttls":
logger.debug("_login3 using starttls (reader)")
conn.start_tls()
except self.ldap3.core.exceptions.LDAPStartTLSError as e:
raise RuntimeError(f"_login3 StartTLS Error: {e}")
@ -252,8 +252,8 @@ class Auth(auth.BaseAuth):
"""Try to bind as the user itself"""
try:
conn = self.ldap3.Connection(server, user_dn, password=password, auto_bind=False)
if self._ldap_encryption == "start_tls":
logger.debug("_login3 using start_tls (user)")
if self._ldap_security == "starttls":
logger.debug("_login3 using starttls (user)")
conn.start_tls()
except self.ldap3.core.exceptions.LDAPStartTLSError as e:
raise RuntimeError(f"_login3 StartTLS Error: {e}")

8
radicale/config.py
View file

@ -297,15 +297,15 @@ DEFAULT_CONFIG_SCHEMA: types.CONFIG_SCHEMA = OrderedDict([
"type": str}),
("ldap_use_ssl", {
"value": "False",
"help": "Use ssl on the ldap connection. Soon to be deprecated, use ldap_encryption instead",
"help": "Use ssl on the ldap connection. Soon to be deprecated, use ldap_security instead",
"type": bool}),
("ldap_encryption", {
("ldap_security", {
"value": "none",
"help": "the encryption mode to be used: *none*|ssl|start_tls",
"help": "the encryption mode to be used: *none*|tls|starttls",
"type": str}),
("ldap_ssl_verify_mode", {
"value": "REQUIRED",
"help": "The certificate verification mode. Works for ssl and start_tls. NONE, OPTIONAL, default is REQUIRED",
"help": "The certificate verification mode. Works for tls and starttls. NONE, OPTIONAL, default is REQUIRED",
"type": str}),
("ldap_ssl_ca_file", {
"value": "",