oss/Radicale
oss/Radicale
1
0
Fork 0
mirror of https://github.com/Kozea/Radicale.git synced 2025-09-30 21:12:05 +00:00
Code Wiki Activity

LDAP auth: re-factor handling of 'ldap_ssl_verify_mode'

Browse source 
* treat 'ldap_ssl_verify_mode' as string
* perform check for accepted values; fail on illegal ones
* translate to the values nbeeded by the respective LDAP module
  when doing the login, based on a module specific dictionary
This commit is contained in:
Peter Marschall 2025-09-28 12:31:10 +02:00
parent 7df4c070e1
commit bcba53ed8d
1 changed files with 13 additions and 19 deletions
Download patch file Download diff file Expand all files Collapse all files

32
radicale/auth/ldap.py
View file

@ -68,7 +68,7 @@ class Auth(auth.BaseAuth):
_ldap_group_members_attr: str
_ldap_module_version: int = 3
_ldap_security: str = "none"
_ldap_ssl_verify_mode: int = ssl.CERT_REQUIRED
_ldap_ssl_verify_mode: str = "REQUIRED"
_ldap_ssl_ca_file: str = ""
def __init__(self, configuration: config.Configuration) -> None:
@ -112,19 +112,15 @@ class Auth(auth.BaseAuth):
logger.warning("Update configuration: set 'ldap_security = tls' instead of deprecated 'ldap_use_ssl = True'")
self._ldap_security = "tls"
self._ldap_ssl_ca_file = configuration.get("auth", "ldap_ssl_ca_file")
tmp = configuration.get("auth", "ldap_ssl_verify_mode")
if tmp == "NONE":
self._ldap_ssl_verify_mode = ssl.CERT_NONE
elif tmp == "OPTIONAL":
self._ldap_ssl_verify_mode = ssl.CERT_OPTIONAL
elif tmp != "REQUIRED":
self._ldap_ssl_verify_mode = configuration.get("auth", "ldap_ssl_verify_mode")
if self._ldap_ssl_verify_mode not in ("NONE", "OPTIONAL", "REQUIRED"):
raise RuntimeError("Illegal value for config setting ´ldap_ssl_verify_mode'")
if self._ldap_uri.lower().startswith("ldaps://") and self._ldap_security not in ("tls", "starttls"):
logger.info("Inferring 'ldap_security' = tls from 'ldap_uri' starting with 'ldaps://'")
self._ldap_security = "tls"
if self._ldap_ssl_ca_file == "" and self._ldap_ssl_verify_mode != ssl.CERT_NONE and self._ldap_security in ("tls", "starttls"):
if self._ldap_ssl_ca_file == "" and self._ldap_ssl_verify_mode != "NONE" and self._ldap_security in ("tls", "starttls"):
logger.warning("Certificate verification not possible: 'ldap_ssl_ca_file' not set")
if self._ldap_ssl_ca_file and self._ldap_security not in ("tls", "starttls"):
logger.warning("Config setting 'ldap_ssl_ca_file' useless without encrypted LDAP connection")
@ -191,12 +187,10 @@ class Auth(auth.BaseAuth):
if self._ldap_security in ("tls", "starttls"):
"""certificate validation mode"""
if self._ldap_ssl_verify_mode == ssl.CERT_REQUIRED:
conn.set_option(self.ldap.OPT_X_TLS_REQUIRE_CERT, self.ldap.OPT_X_TLS_DEMAND)
elif self._ldap_ssl_verify_mode == ssl.CERT_OPTIONAL:
conn.set_option(self.ldap.OPT_X_TLS_REQUIRE_CERT, self.ldap.OPT_X_TLS_ALLOW)
else:
conn.set_option(self.ldap.OPT_X_TLS_REQUIRE_CERT, self.ldap.OPT_X_TLS_NONE)
verifyMode = {"NONE": self.ldap.OPT_X_TLS_NEVER,
"OPTIONAL": self.ldap.OPT_X_TLS_ALLOW,
"REQUIRED": self.ldap.OPT_X_TLS_DEMAND}
conn.set_option(self.ldap.OPT_X_TLS_REQUIRE_CERT, verifyMode[self._ldap_ssl_verify_mode])
"""CA file to validate certificate against"""
if self._ldap_ssl_ca_file:
conn.set_option(self.ldap.OPT_X_TLS_CACERTFILE, self._ldap_ssl_ca_file)
@ -288,12 +282,12 @@ class Auth(auth.BaseAuth):
logger.debug(f"_login3 {self._ldap_uri}, {self._ldap_reader_dn}")
if self._ldap_security in ("tls", "starttls"):
logger.debug("_login3 using encryption (reader)")
tls = self.ldap3.Tls(validate=self._ldap_ssl_verify_mode)
verifyMode = {"NONE": ssl.CERT_NONE,
"OPTIONAL": ssl.CERT_OPTIONAL,
"REQUIRED": ssl.CERT_REQUIRED}
tls = self.ldap3.Tls(validate=verifyMode[self._ldap_ssl_verify_mode])
if self._ldap_ssl_ca_file != "":
tls = self.ldap3.Tls(
validate=self._ldap_ssl_verify_mode,
ca_certs_file=self._ldap_ssl_ca_file
)
tls = self.ldap3.Tls(validate=verifyMode[self._ldap_ssl_verify_mode], ca_certs_file=self._ldap_ssl_ca_file)
if self._ldap_security == "tls":
logger.debug("_login3 using ssl (reader)")
server = self.ldap3.Server(self._ldap_uri, use_ssl=True, tls=tls)