oss/Radicale
oss/Radicale
1
0
Fork 0
mirror of https://github.com/Kozea/Radicale.git synced 2025-06-26 16:45:52 +00:00
Code Wiki Activity

Merge pull request #1762 from imgajus/add-starttls-support

Browse source 
Add LDAP start_tls support
This commit is contained in:
Peter Bieringer 2025-04-21 22:36:00 +02:00 committed by GitHub
commit e15b9ae02a
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
4 changed files with 57 additions and 17 deletions
Download patch file Download diff file Expand all files Collapse all files

12
DOCUMENTATION.md
View file

@ -1045,15 +1045,21 @@ Default: (unset)
_(>= 3.3.0)_
Use ssl on the ldap connection
Use ssl on the ldap connection (soon to be deprecated, use ldap_security instead)
Default: False
##### ldap_security
_(>= 3.5.2)_
Use encryption on the ldap connection. none, tls, starttls
Default: none
##### ldap_ssl_verify_mode
_(>= 3.3.0)_
The certificate verification mode. NONE, OPTIONAL or REQUIRED
The certificate verification mode. Works for tls and starttls. NONE, OPTIONAL or REQUIRED
Default: REQUIRED

6
config
View file

@ -102,9 +102,13 @@
#ldap_user_attribute = cn
# Use ssl on the ldap connection
# Soon to be deprecated, use ldap_security instead
#ldap_use_ssl = False
# The certificate verification mode. NONE, OPTIONAL, default is REQUIRED
# the encryption mode to be used: tls, starttls, default is none
#ldap_security = none
# The certificate verification mode. Works for ssl and starttls. NONE, OPTIONAL, default is REQUIRED
#ldap_ssl_verify_mode = REQUIRED
# The path to the CA file in pem format which is used to certificate the server certificate

48
radicale/auth/ldap.py
View file

@ -26,8 +26,9 @@ Following parameters are needed in the configuration:
ldap_user_attribute The attribute to be used as username after authentication
ldap_groups_attribute The attribute containing group memberships in the LDAP user entry
Following parameters controls SSL connections:
ldap_use_ssl If the connection
ldap_ssl_verify_mode The certificate verification mode. NONE, OPTIONAL, default is REQUIRED
ldap_use_ssl If ssl encryption should be used (to be deprecated)
ldap_security The encryption mode to be used: *none*|tls|starttls
ldap_ssl_verify_mode The certificate verification mode. Works for tls and starttls. NONE, OPTIONAL, default is REQUIRED
ldap_ssl_ca_file
"""
@ -48,6 +49,7 @@ class Auth(auth.BaseAuth):
_ldap_groups_attr: str
_ldap_module_version: int = 3
_ldap_use_ssl: bool = False
_ldap_security: str = "none"
_ldap_ssl_verify_mode: int = ssl.CERT_REQUIRED
_ldap_ssl_ca_file: str = ""
@ -82,13 +84,20 @@ class Auth(auth.BaseAuth):
self._ldap_secret = file.read().rstrip('\n')
if self._ldap_module_version == 3:
self._ldap_use_ssl = configuration.get("auth", "ldap_use_ssl")
self._ldap_security = configuration.get("auth", "ldap_security")
self._use_encryption = self._ldap_use_ssl or self._ldap_security in ("tls", "starttls")
if self._ldap_use_ssl and self._ldap_security == "starttls":
raise RuntimeError("Cannot set both 'ldap_use_ssl = True' and 'ldap_security' = 'starttls'")
if self._ldap_use_ssl:
logger.warning("Configuration uses soon to be deprecated 'ldap_use_ssl', use 'ldap_security' ('none', 'tls', 'starttls') instead.")
if self._use_encryption:
self._ldap_ssl_ca_file = configuration.get("auth", "ldap_ssl_ca_file")
tmp = configuration.get("auth", "ldap_ssl_verify_mode")
if tmp == "NONE":
self._ldap_ssl_verify_mode = ssl.CERT_NONE
elif tmp == "OPTIONAL":
self._ldap_ssl_verify_mode = ssl.CERT_OPTIONAL
logger.info("auth.ldap_uri : %r" % self._ldap_uri)
logger.info("auth.ldap_base : %r" % self._ldap_base)
logger.info("auth.ldap_reader_dn : %r" % self._ldap_reader_dn)
@ -113,7 +122,8 @@ class Auth(auth.BaseAuth):
logger.error("auth.ldap_secret : (not provided)")
raise RuntimeError("LDAP authentication requires ldap_secret for ldap_reader_dn")
logger.info("auth.ldap_use_ssl : %s" % self._ldap_use_ssl)
if self._ldap_use_ssl is True:
logger.info("auth.ldap_security : %s" % self._ldap_security)
if self._use_encryption:
logger.info("auth.ldap_ssl_verify_mode : %s" % self._ldap_ssl_verify_mode)
if self._ldap_ssl_ca_file:
logger.info("auth.ldap_ssl_ca_file : %r" % self._ldap_ssl_ca_file)
@ -188,27 +198,37 @@ class Auth(auth.BaseAuth):
"""Connect the server"""
try:
logger.debug(f"_login3 {self._ldap_uri}, {self._ldap_reader_dn}")
if self._ldap_use_ssl:
if self._use_encryption:
logger.debug("_login3 using encryption (reader)")
tls = self.ldap3.Tls(validate=self._ldap_ssl_verify_mode)
if self._ldap_ssl_ca_file != "":
tls = self.ldap3.Tls(
validate=self._ldap_ssl_verify_mode,
ca_certs_file=self._ldap_ssl_ca_file
)
server = self.ldap3.Server(self._ldap_uri, use_ssl=True, tls=tls)
if self._ldap_use_ssl or self._ldap_security == "tls":
logger.debug("_login3 using ssl (reader)")
server = self.ldap3.Server(self._ldap_uri, use_ssl=True, tls=tls)
else:
server = self.ldap3.Server(self._ldap_uri, use_ssl=False, tls=tls)
else:
logger.debug("_login3 not using encryption (reader)")
server = self.ldap3.Server(self._ldap_uri)
conn = self.ldap3.Connection(server, self._ldap_reader_dn, password=self._ldap_secret)
try:
conn = self.ldap3.Connection(server, self._ldap_reader_dn, password=self._ldap_secret, auto_bind=False, raise_exceptions=True)
if self._ldap_security == "starttls":
logger.debug("_login3 using starttls (reader)")
conn.start_tls()
except self.ldap3.core.exceptions.LDAPStartTLSError as e:
raise RuntimeError(f"_login3 StartTLS Error: {e}")
except self.ldap3.core.exceptions.LDAPSocketOpenError:
raise RuntimeError("Unable to reach LDAP server")
except Exception as e:
logger.debug(f"_login3 error 1 {e}")
logger.debug(f"_login3 error 1 {e} (reader)")
pass
if not conn.bind():
logger.debug("_login3 cannot bind")
logger.debug("_login3 cannot bind (reader)")
raise RuntimeError("Unable to read from LDAP server")
logger.debug(f"_login3 bind as {self._ldap_reader_dn}")
"""Search the user dn"""
escaped_login = self.ldap3.utils.conv.escape_filter_chars(login)
@ -230,7 +250,13 @@ class Auth(auth.BaseAuth):
logger.debug(f"_login3 found LDAP user DN {user_dn}")
try:
"""Try to bind as the user itself"""
conn = self.ldap3.Connection(server, user_dn, password=password)
try:
conn = self.ldap3.Connection(server, user_dn, password=password, auto_bind=False)
if self._ldap_security == "starttls":
logger.debug("_login3 using starttls (user)")
conn.start_tls()
except self.ldap3.core.exceptions.LDAPStartTLSError as e:
raise RuntimeError(f"_login3 StartTLS Error: {e}")
if not conn.bind():
logger.debug(f"_login3 user '{login}' cannot be found")
return ""

8
radicale/config.py
View file

@ -297,11 +297,15 @@ DEFAULT_CONFIG_SCHEMA: types.CONFIG_SCHEMA = OrderedDict([
"type": str}),
("ldap_use_ssl", {
"value": "False",
"help": "Use ssl on the ldap connection",
"help": "Use ssl on the ldap connection. Soon to be deprecated, use ldap_security instead",
"type": bool}),
("ldap_security", {
"value": "none",
"help": "the encryption mode to be used: *none*|tls|starttls",
"type": str}),
("ldap_ssl_verify_mode", {
"value": "REQUIRED",
"help": "The certificate verification mode. NONE, OPTIONAL, default is REQUIRED",
"help": "The certificate verification mode. Works for tls and starttls. NONE, OPTIONAL, default is REQUIRED",
"type": str}),
("ldap_ssl_ca_file", {
"value": "",