oss/Radicale
oss/Radicale
1
0
Fork 0
mirror of https://github.com/Kozea/Radicale.git synced 2025-09-30 21:12:05 +00:00
Code Wiki Activity

LDAP auth: change 'ldap_ssl_verify_mode' to NONE for ldapi://

Browse source 
For ldapi:// connections, which connect - by definition - to a local UNIX
socket, lower the value of config setting 'ldap_ssl_verify_mode' to "NONE"
to avoid certificate validation failures.
The UNIX socket address can NEVER match any DNS name from a certificate,
making the whole certificate validation moot.

This is a workaround for a limitation of Python's LDAP modules, that do not
consider this edge case.
This commit is contained in:
Peter Marschall 2025-09-28 13:17:29 +02:00
parent bcba53ed8d
commit f0626a8dde
1 changed files with 3 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

3
radicale/auth/ldap.py
View file

@ -119,6 +119,9 @@ class Auth(auth.BaseAuth):
if self._ldap_uri.lower().startswith("ldaps://") and self._ldap_security not in ("tls", "starttls"): if self._ldap_uri.lower().startswith("ldaps://") and self._ldap_security not in ("tls", "starttls"):
logger.info("Inferring 'ldap_security' = tls from 'ldap_uri' starting with 'ldaps://'") logger.info("Inferring 'ldap_security' = tls from 'ldap_uri' starting with 'ldaps://'")
self._ldap_security = "tls" self._ldap_security = "tls"
if self._ldap_uri.lower().startswith("ldapi://") and self._ldap_ssl_verify_mode != "NONE":
logger.info("Lowering 'ldap_'ldap_ssl_verify_mode' to NONE for 'ldap_uri' starting with 'ldapi://'")
self._ldap_ssl_verify_mode = "NONE"
if self._ldap_ssl_ca_file == "" and self._ldap_ssl_verify_mode != "NONE" and self._ldap_security in ("tls", "starttls"): if self._ldap_ssl_ca_file == "" and self._ldap_ssl_verify_mode != "NONE" and self._ldap_security in ("tls", "starttls"):
logger.warning("Certificate verification not possible: 'ldap_ssl_ca_file' not set") logger.warning("Certificate verification not possible: 'ldap_ssl_ca_file' not set")