##// END OF EJS Templates
Enable start_tls connection encryption.
"Lorenzo M. Catucci" -
r1290:74685a31 beta
parent child Browse files
Show More
@@ -59,6 +59,13 b' class LdapSettingsController(BaseControl'
59 ]
59 ]
60 tls_reqcert_default = 'DEMAND'
60 tls_reqcert_default = 'DEMAND'
61
61
62 tls_kind_choices = [('PLAIN', _('No encryption'),),
63 ('LDAPS', _('LDAPS connection'),),
64 ('START_TLS', _('START_TLS on LDAP connection'),)
65 ]
66
67 tls_kind_default = 'PLAIN'
68
62 @LoginRequired()
69 @LoginRequired()
63 @HasPermissionAllDecorator('hg.admin')
70 @HasPermissionAllDecorator('hg.admin')
64 def __before__(self):
71 def __before__(self):
@@ -66,12 +73,14 b' class LdapSettingsController(BaseControl'
66 c.admin_username = session.get('admin_username')
73 c.admin_username = session.get('admin_username')
67 c.search_scope_choices = self.search_scope_choices
74 c.search_scope_choices = self.search_scope_choices
68 c.tls_reqcert_choices = self.tls_reqcert_choices
75 c.tls_reqcert_choices = self.tls_reqcert_choices
76 c.tls_kind_choices = self.tls_kind_choices
69 super(LdapSettingsController, self).__before__()
77 super(LdapSettingsController, self).__before__()
70
78
71 def index(self):
79 def index(self):
72 defaults = SettingsModel().get_ldap_settings()
80 defaults = SettingsModel().get_ldap_settings()
73 c.search_scope_cur = defaults.get('ldap_search_scope')
81 c.search_scope_cur = defaults.get('ldap_search_scope')
74 c.tls_reqcert_cur = defaults.get('ldap_tls_reqcert')
82 c.tls_reqcert_cur = defaults.get('ldap_tls_reqcert')
83 c.tls_kind_cur = defaults.get('ldap_tls_kind')
75
84
76 return htmlfill.render(
85 return htmlfill.render(
77 render('admin/ldap/ldap.html'),
86 render('admin/ldap/ldap.html'),
@@ -84,7 +93,8 b' class LdapSettingsController(BaseControl'
84
93
85 settings_model = SettingsModel()
94 settings_model = SettingsModel()
86 _form = LdapSettingsForm([x[0] for x in self.tls_reqcert_choices],
95 _form = LdapSettingsForm([x[0] for x in self.tls_reqcert_choices],
87 [x[0] for x in self.search_scope_choices])()
96 [x[0] for x in self.search_scope_choices],
97 [x[0] for x in self.tls_kind_choices])()
88
98
89 try:
99 try:
90 form_result = _form.to_python(dict(request.POST))
100 form_result = _form.to_python(dict(request.POST))
@@ -190,7 +190,7 b' def authenticate(username, password):'
190 'port': ldap_settings.get('ldap_port'),
190 'port': ldap_settings.get('ldap_port'),
191 'bind_dn': ldap_settings.get('ldap_dn_user'),
191 'bind_dn': ldap_settings.get('ldap_dn_user'),
192 'bind_pass': ldap_settings.get('ldap_dn_pass'),
192 'bind_pass': ldap_settings.get('ldap_dn_pass'),
193 'use_ldaps': str2bool(ldap_settings.get('ldap_ldaps')),
193 'tls_kind': ldap_settings.get('ldap_tls_kind'),
194 'tls_reqcert': ldap_settings.get('ldap_tls_reqcert'),
194 'tls_reqcert': ldap_settings.get('ldap_tls_reqcert'),
195 'ldap_filter': ldap_settings.get('ldap_filter'),
195 'ldap_filter': ldap_settings.get('ldap_filter'),
196 'search_scope': ldap_settings.get('ldap_search_scope'),
196 'search_scope': ldap_settings.get('ldap_search_scope'),
@@ -34,14 +34,19 b' except ImportError:'
34 class AuthLdap(object):
34 class AuthLdap(object):
35
35
36 def __init__(self, server, base_dn, port=389, bind_dn='', bind_pass='',
36 def __init__(self, server, base_dn, port=389, bind_dn='', bind_pass='',
37 use_ldaps=False, tls_reqcert='DEMAND', ldap_version=3,
37 tls_kind = 'PLAIN', tls_reqcert='DEMAND', ldap_version=3,
38 ldap_filter='(&(objectClass=user)(!(objectClass=computer)))',
38 ldap_filter='(&(objectClass=user)(!(objectClass=computer)))',
39 search_scope='SUBTREE',
39 search_scope='SUBTREE',
40 attr_login='uid'):
40 attr_login='uid'):
41 self.ldap_version = ldap_version
41 self.ldap_version = ldap_version
42 if use_ldaps:
42 ldap_server_type = 'ldap'
43
44 self.TLS_KIND = tls_kind
45
46 if self.TLS_KIND == 'LDAPS':
43 port = port or 689
47 port = port or 689
44 self.LDAP_USE_LDAPS = use_ldaps
48 ldap_server_type = ldap_server_type + 's'
49
45 self.TLS_REQCERT = ldap.__dict__['OPT_X_TLS_' + tls_reqcert]
50 self.TLS_REQCERT = ldap.__dict__['OPT_X_TLS_' + tls_reqcert]
46 self.LDAP_SERVER_ADDRESS = server
51 self.LDAP_SERVER_ADDRESS = server
47 self.LDAP_SERVER_PORT = port
52 self.LDAP_SERVER_PORT = port
@@ -50,8 +55,6 b' class AuthLdap(object):'
50 self.LDAP_BIND_DN = bind_dn
55 self.LDAP_BIND_DN = bind_dn
51 self.LDAP_BIND_PASS = bind_pass
56 self.LDAP_BIND_PASS = bind_pass
52
57
53 ldap_server_type = 'ldap'
54 if self.LDAP_USE_LDAPS:ldap_server_type = ldap_server_type + 's'
55 self.LDAP_SERVER = "%s://%s:%s" % (ldap_server_type,
58 self.LDAP_SERVER = "%s://%s:%s" % (ldap_server_type,
56 self.LDAP_SERVER_ADDRESS,
59 self.LDAP_SERVER_ADDRESS,
57 self.LDAP_SERVER_PORT)
60 self.LDAP_SERVER_PORT)
@@ -85,7 +88,7 b' class AuthLdap(object):'
85 ldap.set_option(ldap.OPT_TIMEOUT, 20)
88 ldap.set_option(ldap.OPT_TIMEOUT, 20)
86 ldap.set_option(ldap.OPT_NETWORK_TIMEOUT, 10)
89 ldap.set_option(ldap.OPT_NETWORK_TIMEOUT, 10)
87 ldap.set_option(ldap.OPT_TIMELIMIT, 15)
90 ldap.set_option(ldap.OPT_TIMELIMIT, 15)
88 if self.LDAP_USE_LDAPS:
91 if self.TLS_KIND != 'PLAIN':
89 ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, self.TLS_REQCERT)
92 ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, self.TLS_REQCERT)
90 server = ldap.initialize(self.LDAP_SERVER)
93 server = ldap.initialize(self.LDAP_SERVER)
91 if self.ldap_version == 2:
94 if self.ldap_version == 2:
@@ -93,6 +96,9 b' class AuthLdap(object):'
93 else:
96 else:
94 server.protocol = ldap.VERSION3
97 server.protocol = ldap.VERSION3
95
98
99 if self.TLS_KIND == 'START_TLS':
100 server.start_tls_s()
101
96 if self.LDAP_BIND_DN and self.LDAP_BIND_PASS:
102 if self.LDAP_BIND_DN and self.LDAP_BIND_PASS:
97 server.simple_bind_s(self.LDAP_BIND_DN, self.LDAP_BIND_PASS)
103 server.simple_bind_s(self.LDAP_BIND_DN, self.LDAP_BIND_PASS)
98
104
@@ -312,7 +312,7 b' class DbManage(object):'
312
312
313 try:
313 try:
314 for k, v in [('ldap_active', 'false'), ('ldap_host', ''),
314 for k, v in [('ldap_active', 'false'), ('ldap_host', ''),
315 ('ldap_port', '389'), ('ldap_ldaps', 'false'),
315 ('ldap_port', '389'), ('ldap_tls_kind', 'PLAIN'),
316 ('ldap_tls_reqcert', ''), ('ldap_dn_user', ''),
316 ('ldap_tls_reqcert', ''), ('ldap_dn_user', ''),
317 ('ldap_dn_pass', ''), ('ldap_base_dn', ''),
317 ('ldap_dn_pass', ''), ('ldap_base_dn', ''),
318 ('ldap_filter', ''), ('ldap_search_scope', ''),
318 ('ldap_filter', ''), ('ldap_search_scope', ''),
@@ -556,7 +556,7 b' def DefaultPermissionsForm(perms_choices'
556 return _DefaultPermissionsForm
556 return _DefaultPermissionsForm
557
557
558
558
559 def LdapSettingsForm(tls_reqcert_choices, search_scope_choices):
559 def LdapSettingsForm(tls_reqcert_choices, search_scope_choices, tls_kind_choices):
560 class _LdapSettingsForm(formencode.Schema):
560 class _LdapSettingsForm(formencode.Schema):
561 allow_extra_fields = True
561 allow_extra_fields = True
562 filter_extra_fields = True
562 filter_extra_fields = True
@@ -564,7 +564,7 b' def LdapSettingsForm(tls_reqcert_choices'
564 ldap_active = StringBoolean(if_missing=False)
564 ldap_active = StringBoolean(if_missing=False)
565 ldap_host = UnicodeString(strip=True,)
565 ldap_host = UnicodeString(strip=True,)
566 ldap_port = Number(strip=True,)
566 ldap_port = Number(strip=True,)
567 ldap_ldaps = StringBoolean(if_missing=False)
567 ldap_tls_kind = OneOf(tls_kind_choices)
568 ldap_tls_reqcert = OneOf(tls_reqcert_choices)
568 ldap_tls_reqcert = OneOf(tls_reqcert_choices)
569 ldap_dn_user = UnicodeString(strip=True,)
569 ldap_dn_user = UnicodeString(strip=True,)
570 ldap_dn_pass = UnicodeString(strip=True,)
570 ldap_dn_pass = UnicodeString(strip=True,)
@@ -70,7 +70,7 b' class SettingsModel(BaseModel):'
70 ldap_active
70 ldap_active
71 ldap_host
71 ldap_host
72 ldap_port
72 ldap_port
73 ldap_ldaps
73 ldap_tls_kind
74 ldap_tls_reqcert
74 ldap_tls_reqcert
75 ldap_dn_user
75 ldap_dn_user
76 ldap_dn_pass
76 ldap_dn_pass
@@ -47,8 +47,8 b''
47 <div class="input">${h.password('ldap_dn_pass',class_='small')}</div>
47 <div class="input">${h.password('ldap_dn_pass',class_='small')}</div>
48 </div>
48 </div>
49 <div class="field">
49 <div class="field">
50 <div class="label label-checkbox"><label for="ldap_ldaps">${_('Enable LDAPS')}</label></div>
50 <div class="label"><label for="ldap_tls_kind">${_('Connection security')}</label></div>
51 <div class="checkboxes"><div class="checkbox">${h.checkbox('ldap_ldaps',True,class_='small')}</div></div>
51 <div class="select">${h.select('ldap_tls_kind',c.tls_kind_cur,c.tls_kind_choices,class_='small')}</div>
52 </div>
52 </div>
53 <div class="field">
53 <div class="field">
54 <div class="label"><label for="ldap_tls_reqcert">${_('Certificate Checks')}</label></div>
54 <div class="label"><label for="ldap_tls_reqcert">${_('Certificate Checks')}</label></div>
General Comments 0
You need to be logged in to leave comments. Login now