Description
The module ldap_python does not set ldap options if they are '0'
Steps to reproduce
Set up the following config:
from MoinMoin.auth.ldap_login import LDAPAuth ldap_authenticator1 = LDAPAuth( server_uri='ldaps://ldap.xxxxx.com:636', bind_dn = '', # DN we use for first bind (AD) bind_pw = '', # password we use for first bind base_dn='o=xxxxx.com', # base DN we use for searching scope=2, # scope of the search we do (2 == ldap.SCOPE_SUBTREE) search_filter='(uid=%(username)s)', # ldap filter used for searching: givenname_attribute=None, # often 'givenName' - ldap attribute we get the first name from surname_attribute=None, # often 'sn' - ldap attribute we get the family name from aliasname_attribute=None, # often 'displayName' - ldap attribute we get the aliasname from email_attribute=None, # often 'mail' - ldap attribute we get the email address from email_callback=None, # callback function called to make up email address coding='utf-8', # coding used for ldap queries and result values timeout=10, # how long we wait for the ldap server [s] start_tls=0, # usage of Transport Layer Security 0 = No, 1 = Try, 2 = Required tls_require_cert = 0, # 0 == ldap.OPT_X_TLS_NEVER (needed for self-signed certs) bind_once=False, # set to True to only do one bind - useful if configured to bind as the use )
the option for 'tls_require_cert = 0' is never set.
i.e.
ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
Example
None
Component selection
- authorisation
Details
The following error is logged
2008-08-05 07:10:55,899 MoinMoin.auth.ldap_login DEBUG Connected to LDAP server 'ldaps://ldap.hp.c om:636'. 2008-08-05 07:10:55,938 MoinMoin.auth.ldap_login ERROR LDAP server ldaps://ldap.hp.com:636 failed ({'info': 'error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed', 'de sc': "Can't contact LDAP server"}). Trying to authenticate with next auth list entry. 2008-08-05 07:10:55,938 MoinMoin.session DEBUG after auth: no valid user, no anon session 2
Looking at the code it seems like the issues lies with the statement { if value:}. If the value of the option to be set is 0 then this will never be true and so will never be executed.
if hasattr(ldap, 'TLS_AVAIL') and ldap.TLS_AVAIL: for option, value in ( (ldap.OPT_X_TLS_CACERTDIR, self.tls_cacertdir), (ldap.OPT_X_TLS_CACERTFILE, self.tls_cacertfile), (ldap.OPT_X_TLS_CERTFILE, self.tls_certfile), (ldap.OPT_X_TLS_KEYFILE, self.tls_keyfile), (ldap.OPT_X_TLS_REQUIRE_CERT, self.tls_require_cert), (ldap.OPT_X_TLS, self.start_tls), #(ldap.OPT_X_TLS_ALLOW, 1), ): if value: ldap.set_option(option, value) logging.debug("Set option %r." % option)
MoinMoin Version |
1.7.1 |
OS and Version |
Linux |
Python Version |
2.5.2 |
Server Setup |
|
Server Details |
|
Language you are using the wiki in (set in the browser/UserPreferences) |
|
Workaround
Discussion
Plan
- Priority:
- Assigned to:
Status: fixed by http://hg.moinmo.in/moin/1.7/rev/0ab296a0c099 please test!