1
0
Fork 0
mirror of https://github.com/Kozea/Radicale.git synced 2025-10-15 21:51:57 +00:00
Commit graph

199 commits

Author SHA1 Message Date
Peter Marschall
2d9830fb6a LDAP auth: add my Copyright to radicale/auth/ldap.py 2025-09-29 20:17:16 +02:00
Peter Marschall
f0626a8dde LDAP auth: change 'ldap_ssl_verify_mode' to NONE for ldapi://
For ldapi:// connections, which connect - by definition - to a local UNIX
socket, lower the value of config setting 'ldap_ssl_verify_mode' to "NONE"
to avoid certificate validation failures.
The UNIX socket address can NEVER match any DNS name from a certificate,
making the whole certificate validation moot.

This is a workaround for a limitation of Python's LDAP modules, that do not
consider this edge case.
2025-09-29 20:15:33 +02:00
Peter Marschall
bcba53ed8d LDAP auth: re-factor handling of 'ldap_ssl_verify_mode'
* treat 'ldap_ssl_verify_mode' as string
* perform check for accepted values; fail on illegal ones
* translate to the values nbeeded by the respective LDAP module
  when doing the login, based on a module specific dictionary
2025-09-29 20:15:33 +02:00
Peter Marschall
7df4c070e1 LDAP auth: fail on illegal values for config settings
Thr config settings 'ldap_security' and 'ldap_ssl_verify_mode' only
accept a specific set of values: fail if other values are provided.
2025-09-29 20:15:33 +02:00
Peter Marschall
b6ee3b6991 LDAP auth: align values when logging config options
In addition, log 'ldap_ssl_verify_mode' and 'ldap_ssl_ca_file' unconditionally.
2025-09-29 20:15:33 +02:00
Peter Marschall
44c64d70f5 LDAP auth: _login2: re-bind as user within same connection
Python's ldap module, which is modelled along OpenLDAP's API, allows us to
keep the connection and doing a new bind as a different user, superseding
the previous bind.
Use this to simplify the code and avoid duplication.
2025-09-29 20:15:33 +02:00
Peter Marschall
2d7a9b001c LDAP auth: support TLS & start_tls also with python-ldap
Until now, every connection to the LDAP server was silently unencryptedr
when using Python's ldap module instead of the ldap3 module.
I.e. using Python's ldap module was inherently insecure, as there was not
even a hint that the config settings for encryption were ignored.

This commit changes this and brings LDAP authentication based on the ldap
module feature-wise on par with the one based on the ldap3 module.
2025-09-29 20:15:33 +02:00
Peter Marschall
f8b15eb122 LDAP auth: get rid of helper property '_use_encryption'
Inferring 'ldap_security' in earlier commits, allows us to get rid of
the helper property '_use_encryption', streamlining the code.
2025-09-29 20:15:33 +02:00
Peter Marschall
b21549b998 LDAP auth: warn if 'ldap_ssl_ca_file' is set without LDAP encryption 2025-09-29 20:15:33 +02:00
Peter Marschall
73b77defe4 LDAP auth: warn on unset ldap_ssl_ca_file when certificate verification is wanted 2025-09-29 20:15:33 +02:00
Peter Marschall
c58eef4bac LDAP auth: infer 'ldap_security = tls' from the URL prefix: ldaps:// => LDAPS
LDAP URIs starting with the scheme 'ldaps' are - by definition - meant to use
LDAPS instead of plain LDAP: infer 'ldap_security' = "tls" if it is not set.
2025-09-29 20:15:33 +02:00
Peter Marschall
7eb0c66512 LDAP auth: refactor dealing with 'ldap_use_ssl'
* stop treating it as class property
* refactor to consolidate logic into one big 'if' statement
  (for easier removal when the config option gets removed in the future)
* make deprecation warning for 'ldap_use_ssl' more urgent
* raise error if conflicting settings 'ldap_security' = "starttls" and
  'ldap_use_ssl' = True are set together
* if not set, infer  'ldap_security' = "tls" from 'ldap_use_ssl' = True,
  logging  a warning for the admin to update the config
2025-09-29 20:15:33 +02:00
Peter Marschall
caab7d3712 LDAP auth: load SSL/TLS config unconditionally
Currently it is not used by _login2(), but it does not hurt to have it
available.
It is a preparation for supporting encrypted connections in _login2().
2025-09-29 20:15:33 +02:00
Peter Marschall
5f89d18df6 LDAP auth: move evaluation of quirk for Authentik where it belongs
The evaluation of the quirk for the Authentik LDAP server changes the behaviour
of Python's `ldap3` module, and that module only.
Evaluating the quirk in `__init__` which is used for both, `ldap` and `ldap3`
is thus wrong, and may lead to errors when this setting is used together with
the `ldap` module.

Signed-off-by: Peter Marschall <peter@adpm.de>
2025-09-25 18:09:43 +02:00
Peter Bieringer
63b160c2b0 move evaluation of quirk for Authentik where it belongs, superseeds https://github.com/Kozea/Radicale/pull/1877 2025-09-25 15:29:04 +02:00
Peter Bieringer
b46916fca9 fix according to https://github.com/Kozea/Radicale/issues/1878#issue-3438629348 2025-09-24 06:35:27 +02:00
Johannes Berg
256ca59aaf auth: clean up remote IP parameter/documentation
Make the remote IP parameter more generic and make it an enum
determining the source instead of a boolean. Also fix the
changelog entry.

Both as requested, I managed to miss those comments previously.
2025-09-09 20:25:49 +02:00
Johannes Berg
b5a1ea911d auth: dovecot: pass remote IP (rip=) to auth server
If known, let the auth server know where the client came
from, using REMOTE_ADDR or, optionally/configurably, the
X-Remote-Addr header value (which is needed when running
behind a trusted proxy.)

Addresses #1859.
2025-09-09 12:10:00 +02:00
Peter Marschall
9eb9556536 LDAP auth: decode UTF-8 byte sequences to strings only if necessary 2025-09-07 15:05:47 +02:00
Peter Marschall
cde4c5f2e8 LDAP auth: stop giving type hints for local list variables 2025-09-07 14:44:03 +02:00
Peter Marschall
9b216a9f24 LDAP auth: define fallback value for _use_encryption 2025-09-07 11:38:08 +02:00
Peter Marschall
5c4a0578b0 LDAP auth: fix _login2() by importing ldap.filter 2025-09-07 11:38:08 +02:00
Peter Marschall
5a183e3c2b LDAP auth: make flake8 happy
"fix" small lint to keep flake8 happy.
2025-09-07 11:38:08 +02:00
Peter Marschall
5f677fc77e LDAP auth: document all paramters at the top of the file 2025-09-07 11:38:08 +02:00
Peter Marschall
8821612fa8 LDAP auth: allow finding groups based on separate search
Instead of searching for the membership attribute on the user side
(usually AD: memberOf, Novell eDirectory: groupMembership) to determine
the groups the user loging on is a member of, allow performing a separate
search for the groups having the user as member and use the found groups' DNs.

The group search is performed in the context of 'ldap_reader_dn', after
the user DN has been found in the directory, but before the authentication
has been performed by doing an LDAP bind in the user's context.

Although this may - in the case of unsuccessful login attempts -
double the number of queries to the LDAP server, it has been done
this way to keep the number of LDAP contexts minimal.

Doing the group search in the context of the user logging on is no viable
option, because there are known implementations where regular users do not
have the necessary permissions to query the groups they are a member in.
2025-09-07 11:38:08 +02:00
Peter Marschall
be3d58c55d LDAP auth: protect LDAP search with a try: .. except clause
Make sure to catch exceptions when searching for the user in LDAP,
log as error and fail gracefully by declining login.
2025-07-20 17:59:31 +02:00
Dipl. Ing. Péter Varkoly
95b3944ade Do not read server info by bind to avoid needless network trafic. 2025-05-31 13:36:59 +02:00
Peter Bieringer
1e44a086bc Python < 3.10 regression fix 2025-05-16 07:37:35 +02:00
Peter Bieringer
d1098c3e22 flake8 regression E261 2025-05-16 07:28:50 +02:00
Juan F Arjona
7eb4e037cc Fixing extra space lint doesn't like :-|. 2025-05-07 13:33:18 -04:00
Juan F Arjona
1fe0211ba6
Update __init__.py
Making lint happy (?)
2025-05-07 11:59:27 -05:00
Juan F Arjona
d22d74320a Added urldecode_username option to decode the username when sent by the client. This solved problems when authenticating against an imap server from the iOS calendar. 2025-05-02 18:02:43 -04:00
Peter Bieringer
0bcd5d283a argon2: fix typo 2025-04-29 19:44:24 +02:00
Peter Bieringer
7b49bab471 argon2: make isort happy 2025-04-29 19:41:48 +02:00
Peter Bieringer
631f1596ae argon2: make flake8 happy 2025-04-29 19:39:15 +02:00
Peter Bieringer
76b9e89deb argon2: fix not supported auth method detection 2025-04-29 19:26:01 +02:00
Peter Bieringer
d3f1d203d4 argon2: fixes for mypy 2025-04-29 19:22:55 +02:00
Peter Bieringer
3c1593d244 fix typo 2025-04-29 19:18:41 +02:00
Peter Bieringer
2c569492f8 argon2: add support 2025-04-29 19:18:27 +02:00
Peter Bieringer
d5133fccd1 argon2: preparation 2025-04-29 19:15:19 +02:00
Peter Bieringer
323af3368c add info about argon2 support 2025-04-29 19:14:21 +02:00
gajus
b805393bd9 Standardize LDAP security configuration naming 2025-04-21 21:26:58 +02:00
gajus
1162a3a011 Add support for start_tls 2025-04-19 17:02:45 +02:00
Miles Liu
24138389ed
fix(auth/ldap): Extract user attribute from list in _login3
This commit modifies `_login3` to check if the attribute value is a
list and, if so, extracts the first element (`[0]`) as the login
identifier. If the value is not a list, it's used directly (fallback).
2025-04-17 14:02:40 +08:00
Peter Bieringer
6b83c409d4
Merge pull request #1742 from BastelBaus/patch-2
Update ldap.py
2025-03-26 05:50:28 +01:00
BastelBaus@gmail.com
5d5b12c124 fixed flake8 errors 2025-03-24 22:14:29 +01:00
BastelBaus
2439266d0e
Update ldap.py
Bugfix, user_entry['attributes'][self._ldap_user_attr] is already the string so user_entry['attributes'][self._ldap_user_attr][0] would give only the first character and not the full user attribute
2025-03-24 20:25:51 +01:00
BastelBaus
3af690fcb6
Update ldap.py 2025-03-24 20:13:38 +01:00
BastelBaus
98152062df
Update ldap.py 2025-03-24 20:11:40 +01:00
BastelBaus
bcbf0918a9
Update ldap.py 2025-03-24 20:10:53 +01:00