ldap: add parameter to disable SSL certificate check

2022-06-01 18:46:08 +02:00 · 2022-06-01 18:46:08 +02:00 · 025fd12dc4
commit 025fd12dc4
parent e8de509346
1 changed files with 11 additions and 3 deletions
--- a/mylib/ldap.py
+++ b/mylib/ldap.py
@ -30,11 +30,13 @@ class LdapServer:

    con = 0

-    def __init__(self, uri, dn=None, pwd=None, v2=None, raiseOnError=False, logger=False):
+    def __init__(self, uri, dn=None, pwd=None, v2=None,
+                 raiseOnError=False, logger=False, checkCert=True):
        self.uri = uri
        self.dn = dn
        self.pwd = pwd
        self.raiseOnError = raiseOnError
+        self.checkCert = checkCert
        if v2:
            self.v2 = True
        if logger:
@ -51,6 +53,8 @@ class LdapServer:
        """ Start connection to LDAP server """
        if self.con == 0:
            try:
+                if not self.checkCert:
+                    ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
                con = ldap.initialize(self.uri)
                if self.v2:
                    con.protocol_version = ldap.VERSION2  # pylint: disable=no-member
@ -385,7 +389,8 @@ class LdapClient:

        # Load configuration option types only here to avoid global
        # dependency of ldap module with config one.
-        from mylib.config import StringOption, PasswordOption  # pylint: disable=import-outside-toplevel
+        # pylint: disable=import-outside-toplevel
+        from mylib.config import BooleanOption, StringOption, PasswordOption

        section = self._config.add_section(
            self._config_section,
@ -401,6 +406,9 @@ class LdapClient:
            PasswordOption, 'bindpwd',
            comment='LDAP Bind password (set to "keyring" to use XDG keyring)',
            username_option='binddn', keyring_value='keyring')
+        section.add_option(
+            BooleanOption, 'checkcert', default=True,
+            comment='Check LDAP certificate')

        return section

@ -413,7 +421,7 @@ class LdapClient:
        log.info("Connect to LDAP server %s as %s", uri, binddn if binddn else 'annonymous')
        self._conn = LdapServer(
            uri, dn=binddn, pwd=self._get_option('bindpwd'),
-            raiseOnError=True
+            checkCert=self._get_option('checkcert'), raiseOnError=True
        )
        # Reset cache
        self._cached_objects = {}