For ldapi:// connections, which connect - by definition - to a local UNIX
socket, lower the value of config setting 'ldap_ssl_verify_mode' to "NONE"
to avoid certificate validation failures.
The UNIX socket address can NEVER match any DNS name from a certificate,
making the whole certificate validation moot.
This is a workaround for a limitation of Python's LDAP modules, that do not
consider this edge case.
* treat 'ldap_ssl_verify_mode' as string
* perform check for accepted values; fail on illegal ones
* translate to the values nbeeded by the respective LDAP module
when doing the login, based on a module specific dictionary
Python's ldap module, which is modelled along OpenLDAP's API, allows us to
keep the connection and doing a new bind as a different user, superseding
the previous bind.
Use this to simplify the code and avoid duplication.
Until now, every connection to the LDAP server was silently unencryptedr
when using Python's ldap module instead of the ldap3 module.
I.e. using Python's ldap module was inherently insecure, as there was not
even a hint that the config settings for encryption were ignored.
This commit changes this and brings LDAP authentication based on the ldap
module feature-wise on par with the one based on the ldap3 module.
LDAP URIs starting with the scheme 'ldaps' are - by definition - meant to use
LDAPS instead of plain LDAP: infer 'ldap_security' = "tls" if it is not set.
* stop treating it as class property
* refactor to consolidate logic into one big 'if' statement
(for easier removal when the config option gets removed in the future)
* make deprecation warning for 'ldap_use_ssl' more urgent
* raise error if conflicting settings 'ldap_security' = "starttls" and
'ldap_use_ssl' = True are set together
* if not set, infer 'ldap_security' = "tls" from 'ldap_use_ssl' = True,
logging a warning for the admin to update the config
Currently it is not used by _login2(), but it does not hurt to have it
available.
It is a preparation for supporting encrypted connections in _login2().
The evaluation of the quirk for the Authentik LDAP server changes the behaviour
of Python's `ldap3` module, and that module only.
Evaluating the quirk in `__init__` which is used for both, `ldap` and `ldap3`
is thus wrong, and may lead to errors when this setting is used together with
the `ldap` module.
Signed-off-by: Peter Marschall <peter@adpm.de>
* config sections in [brackets]
* config values as `code`
* config value alternatives as lists
* standardized format for config options
* consolidate multiple markup variants into one
* fix hierarchy for some options
* grammar fixes
* fix some "Germanisms"
Make the remote IP parameter more generic and make it an enum
determining the source instead of a boolean. Also fix the
changelog entry.
Both as requested, I managed to miss those comments previously.
If known, let the auth server know where the client came
from, using REMOTE_ADDR or, optionally/configurably, the
X-Remote-Addr header value (which is needed when running
behind a trusted proxy.)
Addresses #1859.
