Allow configuration of the LDAP server certificate

173da7c9 · Robin Sonnabend · 8c04d06d · 173da7c9 · 173da7c9
Commit 173da7c9 authored Apr 17, 2017 by Robin Sonnabend
--- a/auth.py
+++ b/auth.py
 import ldap
 import hmac, hashlib
+import ssl
 import ldap3
 from ldap3.utils.dn import parse_dn
 from datetime import datetime
@@ -99,8 +100,14 @@ class LdapManager:
            yield group.cn.value
 class ADManager:
-    def __init__(self, host, domain, user_dn, group_dn, port=636, use_ssl=True):
+    def __init__(self, host, domain, user_dn, group_dn,
-        self.server = ldap3.Server(host, port=port, use_ssl=use_ssl)
+        port=636, use_ssl=True, ca_cert=None):
+        tls_config = ldap3.Tls(validate=ssl.CERT_REQUIRED)
+        if ca_cert is not None:
+            tls_config = ldap3.Tls(validate=ssl.CERT_REQUIRED,
+                ca_certs_file=ca_cert)
+        self.server = ldap3.Server(host, port=port, use_ssl=use_ssl,
+            tls=tls_config)
        self.domain = domain
        self.user_dn = user_dn
        self.group_dn = group_dn

--- a/config.py.example
+++ b/config.py.example
@@ -78,7 +78,8 @@ AUTH_BACKENDS = [
        host="ad.example.com",
        domain="EXAMPLE",
        user_dn="cn=users,dc=example,dc=com",
-        group_dn="dc=example,dc=com")
+        group_dn="dc=example,dc=com",
+        ca_cert="/etc/ssl/certs/example-ca.pem")
 ]
 # lines of error description