Allow LDAP with STARTTLS before bind

Monogramm · Feb 20, 2018 · 5b713c9 · 5b713c9
1 parent 33a5b70
commit 5b713c9
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 9 deletions.
diff --git a/README.md b/README.md
@@ -29,6 +29,15 @@ INSTALLED_APPS += ["taiga_contrib_ldap_auth_ext"]
 LDAP_SERVER = 'ldap://ldap.example.com'
 LDAP_PORT = 389
 
+# Flag to enable LDAP with STARTTLS before bind
+LDAP_START_TLS = False
+
+# Support of alternative LDAP ciphersuites
+#from ldap3 import Tls
+#import ssl
+
+#LDAP_TLS_CERTS = Tls(validate=ssl.CERT_NONE, version=ssl.PROTOCOL_TLSv1, ciphers='RSA+3DES')
+
 # Full DN of the service account use to connect to LDAP server and search for login user's account entry
 # If LDAP_BIND_DN is not specified, or is blank, then an anonymous bind is attempated
 LDAP_BIND_DN = 'CN=SVC Account,OU=Service Accounts,OU=Servers,DC=example,DC=com'
@@ -46,12 +55,6 @@ LDAP_USERNAME_ATTRIBUTE = 'uid'
 LDAP_EMAIL_ATTRIBUTE = 'mail'
 LDAP_FULL_NAME_ATTRIBUTE = 'displayName'
 
-# Support of alternative LDAP ciphersuites
-#from ldap3 import Tls
-#import ssl
-
-#LDAP_TLS_CERTS = Tls(validate=ssl.CERT_NONE, version=ssl.PROTOCOL_TLSv1, ciphers='RSA+3DES')
-
 # Function to map LDAP username to local DB user unique identifier.
 # Upon successful LDAP bind, will override returned username attribute
 # value. May result in unexpected failures if changed after the database

diff --git a/taiga_contrib_ldap_auth_ext/connector.py b/taiga_contrib_ldap_auth_ext/connector.py
@@ -11,7 +11,7 @@
 # You should have received a copy of the GNU Affero General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-from ldap3 import Server, Connection, Tls, ANONYMOUS, SIMPLE, SYNC, SUBTREE, NONE
+from ldap3 import Server, Connection, Tls, AUTO_BIND_NO_TLS, AUTO_BIND_TLS_BEFORE_BIND, ANONYMOUS, SIMPLE, SYNC, SUBTREE, NONE
 
 from django.conf import settings
 from taiga.base.connectors.exceptions import ConnectorBaseException
@@ -43,6 +43,7 @@ class LDAPUserLoginError(LDAPError):
 FULL_NAME_ATTRIBUTE = getattr(settings, "LDAP_FULL_NAME_ATTRIBUTE", "")
 
 TLS_CERTS = getattr(settings, "LDAP_TLS_CERTS", "")
+START_TLS = getattr(settings, "LDAP_START_TLS", False)
 
 
 def login(login: str, password: str) -> tuple:
@@ -83,8 +84,13 @@ def login(login: str, password: str) -> tuple:
         service_user = None
         service_pass = None
         service_auth = ANONYMOUS
+
+    auto_bind = AUTO_BIND_NO_TLS
+    if START_TLS:
+        auto_bind = AUTO_BIND_TLS_BEFORE_BIND
+
     try:
-        c = Connection(server, auto_bind = True, client_strategy = SYNC, check_names = True,
+        c = Connection(server, auto_bind = auto_bind, client_strategy = SYNC, check_names = True,
                        user = service_user, password = service_pass, authentication = service_auth)
     except Exception as e:
         error = "Error connecting to LDAP server: %s" % e
@@ -118,7 +124,7 @@ def login(login: str, password: str) -> tuple:
     full_name = c.response[0].get('raw_attributes').get(FULL_NAME_ATTRIBUTE)[0].decode('utf-8')
     try:
         dn = str(bytes(c.response[0].get('dn'), 'iso-8859-1'), encoding='utf-8')
-        user_conn = Connection(server, auto_bind = True, client_strategy = SYNC,
+        user_conn = Connection(server, auto_bind = auto_bind, client_strategy = SYNC,
                                check_names = True, authentication = SIMPLE,
                                user = dn, password = password)
     except Exception as e: