diff --git a/mylib/ldap.py b/mylib/ldap.py index 07ac421..fc8fce8 100644 --- a/mylib/ldap.py +++ b/mylib/ldap.py @@ -30,11 +30,13 @@ class LdapServer: con = 0 - def __init__(self, uri, dn=None, pwd=None, v2=None, raiseOnError=False, logger=False): + def __init__(self, uri, dn=None, pwd=None, v2=None, + raiseOnError=False, logger=False, checkCert=True): self.uri = uri self.dn = dn self.pwd = pwd self.raiseOnError = raiseOnError + self.checkCert = checkCert if v2: self.v2 = True if logger: @@ -51,6 +53,8 @@ class LdapServer: """ Start connection to LDAP server """ if self.con == 0: try: + if not self.checkCert: + ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER) con = ldap.initialize(self.uri) if self.v2: con.protocol_version = ldap.VERSION2 # pylint: disable=no-member @@ -385,7 +389,8 @@ class LdapClient: # Load configuration option types only here to avoid global # dependency of ldap module with config one. - from mylib.config import StringOption, PasswordOption # pylint: disable=import-outside-toplevel + # pylint: disable=import-outside-toplevel + from mylib.config import BooleanOption, StringOption, PasswordOption section = self._config.add_section( self._config_section, @@ -401,6 +406,9 @@ class LdapClient: PasswordOption, 'bindpwd', comment='LDAP Bind password (set to "keyring" to use XDG keyring)', username_option='binddn', keyring_value='keyring') + section.add_option( + BooleanOption, 'checkcert', default=True, + comment='Check LDAP certificate') return section @@ -413,7 +421,7 @@ class LdapClient: log.info("Connect to LDAP server %s as %s", uri, binddn if binddn else 'annonymous') self._conn = LdapServer( uri, dn=binddn, pwd=self._get_option('bindpwd'), - raiseOnError=True + checkCert=self._get_option('checkcert'), raiseOnError=True ) # Reset cache self._cached_objects = {}