From 173da7c91e3cfe57720e7f93781377abff4c8be7 Mon Sep 17 00:00:00 2001
From: Robin Sonnabend <robin@fsmpi.rwth-aachen.de>
Date: Mon, 17 Apr 2017 23:15:58 +0200
Subject: [PATCH] Allow configuration of the LDAP server certificate

---
 auth.py           | 11 +++++++++--
 config.py.example |  3 ++-
 2 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/auth.py b/auth.py
index 0490caa..be1d4b2 100644
--- a/auth.py
+++ b/auth.py
@@ -1,5 +1,6 @@
 import ldap
 import hmac, hashlib
+import ssl
 import ldap3
 from ldap3.utils.dn import parse_dn
 from datetime import datetime
@@ -99,8 +100,14 @@ class LdapManager:
             yield group.cn.value
 
 class ADManager:
-    def __init__(self, host, domain, user_dn, group_dn, port=636, use_ssl=True):
-        self.server = ldap3.Server(host, port=port, use_ssl=use_ssl)
+    def __init__(self, host, domain, user_dn, group_dn,
+        port=636, use_ssl=True, ca_cert=None):
+        tls_config = ldap3.Tls(validate=ssl.CERT_REQUIRED)
+        if ca_cert is not None:
+            tls_config = ldap3.Tls(validate=ssl.CERT_REQUIRED,
+                ca_certs_file=ca_cert)
+        self.server = ldap3.Server(host, port=port, use_ssl=use_ssl,
+            tls=tls_config)
         self.domain = domain
         self.user_dn = user_dn
         self.group_dn = group_dn
diff --git a/config.py.example b/config.py.example
index e0f8206..fbb6803 100644
--- a/config.py.example
+++ b/config.py.example
@@ -78,7 +78,8 @@ AUTH_BACKENDS = [
         host="ad.example.com",
         domain="EXAMPLE",
         user_dn="cn=users,dc=example,dc=com",
-        group_dn="dc=example,dc=com")
+        group_dn="dc=example,dc=com",
+        ca_cert="/etc/ssl/certs/example-ca.pem")
 ]
 
 # lines of error description
-- 
GitLab