# HG changeset patch
# User Marcin Kuzminski <marcin@rhodecode.com>
# Date 2018-11-20 21:05:34
# Node ID 75c71c3165df356a47c4d24f2906d3b53d4e65aa
# Parent  feb956fcb87f9f9379cb2619b9c4314c566d8151

ldap: ensure the proper cert files and dirs are set.

- addresses some issues with SSL certificates after bump of the LDAP drivers.

diff --git a/rhodecode/authentication/plugins/auth_ldap.py b/rhodecode/authentication/plugins/auth_ldap.py
--- a/rhodecode/authentication/plugins/auth_ldap.py
+++ b/rhodecode/authentication/plugins/auth_ldap.py
@@ -22,6 +22,7 @@
 RhodeCode authentication plugin for LDAP
 """
 
+import os
 import logging
 import traceback
 
@@ -240,8 +241,14 @@ class AuthLdap(AuthLdapBase):
         if self.debug:
             ldap.set_option(ldap.OPT_DEBUG_LEVEL, 255)
 
-        if hasattr(ldap, 'OPT_X_TLS_CACERTDIR'):
-            ldap.set_option(ldap.OPT_X_TLS_CACERTDIR, '/etc/openldap/cacerts')
+        default_cert_path = os.environ.get('SSL_CERT_FILE')
+        default_cert_dir = os.environ.get('SSL_CERT_DIR', '/etc/openldap/cacerts')
+        if default_cert_path and hasattr(ldap, 'OPT_X_TLS_CACERTFILE'):
+            ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, default_cert_path)
+
+        elif hasattr(ldap, 'OPT_X_TLS_CACERTDIR'):
+                ldap.set_option(ldap.OPT_X_TLS_CACERTDIR, default_cert_dir)
+
         if self.TLS_KIND != 'PLAIN':
             ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, self.TLS_REQCERT)