diff --git a/README.md b/README.md index 3982f52..587a9d0 100644 --- a/README.md +++ b/README.md @@ -29,6 +29,15 @@ INSTALLED_APPS += ["taiga_contrib_ldap_auth_ext"] LDAP_SERVER = 'ldap://ldap.example.com' LDAP_PORT = 389 +# Flag to enable LDAP with STARTTLS before bind +LDAP_START_TLS = False + +# Support of alternative LDAP ciphersuites +#from ldap3 import Tls +#import ssl + +#LDAP_TLS_CERTS = Tls(validate=ssl.CERT_NONE, version=ssl.PROTOCOL_TLSv1, ciphers='RSA+3DES') + # Full DN of the service account use to connect to LDAP server and search for login user's account entry # If LDAP_BIND_DN is not specified, or is blank, then an anonymous bind is attempated LDAP_BIND_DN = 'CN=SVC Account,OU=Service Accounts,OU=Servers,DC=example,DC=com' @@ -46,12 +55,6 @@ LDAP_USERNAME_ATTRIBUTE = 'uid' LDAP_EMAIL_ATTRIBUTE = 'mail' LDAP_FULL_NAME_ATTRIBUTE = 'displayName' -# Support of alternative LDAP ciphersuites -#from ldap3 import Tls -#import ssl - -#LDAP_TLS_CERTS = Tls(validate=ssl.CERT_NONE, version=ssl.PROTOCOL_TLSv1, ciphers='RSA+3DES') - # Function to map LDAP username to local DB user unique identifier. # Upon successful LDAP bind, will override returned username attribute # value. May result in unexpected failures if changed after the database diff --git a/taiga_contrib_ldap_auth_ext/connector.py b/taiga_contrib_ldap_auth_ext/connector.py index 2ec2364..593b0ac 100644 --- a/taiga_contrib_ldap_auth_ext/connector.py +++ b/taiga_contrib_ldap_auth_ext/connector.py @@ -11,7 +11,7 @@ # You should have received a copy of the GNU Affero General Public License # along with this program. If not, see . -from ldap3 import Server, Connection, Tls, ANONYMOUS, SIMPLE, SYNC, SUBTREE, NONE +from ldap3 import Server, Connection, Tls, AUTO_BIND_NO_TLS, AUTO_BIND_TLS_BEFORE_BIND, ANONYMOUS, SIMPLE, SYNC, SUBTREE, NONE from django.conf import settings from taiga.base.connectors.exceptions import ConnectorBaseException @@ -43,6 +43,7 @@ class LDAPUserLoginError(LDAPError): FULL_NAME_ATTRIBUTE = getattr(settings, "LDAP_FULL_NAME_ATTRIBUTE", "") TLS_CERTS = getattr(settings, "LDAP_TLS_CERTS", "") +START_TLS = getattr(settings, "LDAP_START_TLS", False) def login(login: str, password: str) -> tuple: @@ -83,8 +84,13 @@ def login(login: str, password: str) -> tuple: service_user = None service_pass = None service_auth = ANONYMOUS + + auto_bind = AUTO_BIND_NO_TLS + if START_TLS: + auto_bind = AUTO_BIND_TLS_BEFORE_BIND + try: - c = Connection(server, auto_bind = True, client_strategy = SYNC, check_names = True, + c = Connection(server, auto_bind = auto_bind, client_strategy = SYNC, check_names = True, user = service_user, password = service_pass, authentication = service_auth) except Exception as e: error = "Error connecting to LDAP server: %s" % e @@ -118,7 +124,7 @@ def login(login: str, password: str) -> tuple: full_name = c.response[0].get('raw_attributes').get(FULL_NAME_ATTRIBUTE)[0].decode('utf-8') try: dn = str(bytes(c.response[0].get('dn'), 'iso-8859-1'), encoding='utf-8') - user_conn = Connection(server, auto_bind = True, client_strategy = SYNC, + user_conn = Connection(server, auto_bind = auto_bind, client_strategy = SYNC, check_names = True, authentication = SIMPLE, user = dn, password = password) except Exception as e: