Python ldap.OPT_X_TLS_DEMAND Examples
The following are 8
code examples of ldap.OPT_X_TLS_DEMAND().
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example.
You may also want to check out all available functions/classes of the module
ldap
, or try the search function
.
.
Example #1
| Source File: ldap_backend.py From st2-auth-backend-ldap with Apache License 2.0 | 6 votes |
|
def _ldap_connect(self):
"""
Prepare ldap object for binding phase.
"""
try:
connection = ldap.initialize(self._ldap_uri)
connection.set_option(ldap.OPT_PROTOCOL_VERSION, 3)
connection.set_option(ldap.OPT_REFERRALS,
int(self._chase_referrals))
if self._ldap_uri.startswith('ldaps://'):
# Require server certificate but ignore it's validity. (allow self-signed)
ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
if self._use_tls:
# Require TLS connection.
ldap.set_option(ldap.OPT_X_TLS, ldap.OPT_X_TLS_DEMAND)
# Require server certificate but ignore it's validity. (allow self-signed)
ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
connection.start_tls_s()
LOG.debug('Connection now using TLS')
return connection
except ldap.LDAPError as e:
LOG.debug('(_ldap_connect) LDAP Error: %s : Type %s' % (str(e), type(e)))
return False
Example #2
| Source File: test_ldap_backend.py From st2-auth-backend-ldap with Apache License 2.0 | 6 votes |
|
def test_ldap_connect_ldap_start_tls(self, mock_set_option):
try:
ldapobj = self.mockldap['ldap://testserver.domain.tld']
result = _do_simple_bind('cn=manager,dc=example,dc=com', 'ldaptest',
uri='ldap://testserver.domain.tld',
use_tls=True)
self.assertEquals(ldapobj.methods_called(),
self.connect_methods + ['start_tls_s',
'simple_bind_s', 'whoami_s', 'unbind'])
mock_set_option.assert_has_calls(
[
mock.call(ldap.OPT_X_TLS, ldap.OPT_X_TLS_DEMAND),
mock.call(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER),
])
self.assertTrue(result)
finally:
del ldapobj
Example #3
| Source File: __init__.py From OctoPrint-LDAP with GNU Affero General Public License v3.0 | 5 votes |
|
def get_ldap_client(self, user=None, password=None):
uri = self.plugin_settings().get(["uri"])
if not uri:
self._logger.debug("No LDAP URI")
return None
if not user:
user = self.plugin_settings().get(["auth_user"])
password = self.plugin_settings().get(["auth_password"])
try:
self._logger.debug("Initializing LDAP connection to %s" % uri)
client = ldap.initialize(uri)
if self.plugin_settings().get(["request_tls_cert"]):
self._logger.debug("Requesting TLS certificate")
client.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_DEMAND)
else:
client.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
if user is not None:
self._logger.debug("Binding to LDAP as %s" % user)
client.bind_s(user, password)
return client
except ldap.INVALID_CREDENTIALS:
self._logger.error("Invalid credentials to bind to LDAP as %s" % user)
except ldap.LDAPError as e:
self._logger.error(json.dumps(e.message))
return None
Example #4
| Source File: config.py From ssh-ldap-pubkey with MIT License | 5 votes |
|
def parse_tls_reqcert_opt(value):
"""Convert `tls_reqcert` option to ldap's `OPT_X_TLS_*` constant."""
return {
'never': ldap.OPT_X_TLS_NEVER,
'allow': ldap.OPT_X_TLS_ALLOW,
'try': ldap.OPT_X_TLS_TRY,
'demand': ldap.OPT_X_TLS_DEMAND,
'hard': ldap.OPT_X_TLS_HARD
}[value.lower()] if value else None
Example #5
| Source File: user.py From PowerDNS-Admin with MIT License | 5 votes |
|
def ldap_init_conn(self):
ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
conn = ldap.initialize(Setting().get('ldap_uri'))
conn.set_option(ldap.OPT_REFERRALS, ldap.OPT_OFF)
conn.set_option(ldap.OPT_PROTOCOL_VERSION, 3)
conn.set_option(ldap.OPT_X_TLS, ldap.OPT_X_TLS_DEMAND)
conn.set_option(ldap.OPT_X_TLS_DEMAND, True)
conn.set_option(ldap.OPT_DEBUG_LEVEL, 255)
conn.protocol_version = ldap.VERSION3
return conn
Example #6
| Source File: __init__.py From ssh-ldap-pubkey with MIT License | 4 votes |
|
def connect(self):
"""Connect to the LDAP server.
This method must be called before any other methods of this object.
Raises:
ConfigError: If Base DN or LDAP URI is missing in the config.
LDAPConnectionError: If can't connect to the LDAP server.
ldap.LDAPError:
"""
conf = self.conf
if not conf.uris or not conf.base:
raise ConfigError('Base DN and LDAP URI(s) must be provided.', 1)
if conf.tls_require_cert:
if conf.tls_require_cert not in [ldap.OPT_X_TLS_DEMAND, ldap.OPT_X_TLS_HARD]:
print(BAD_REQCERT_WARNING, file=sys.stderr)
# this is a global option!
ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, conf.tls_require_cert)
if conf.cacert_dir:
# this is a global option!
ldap.set_option(ldap.OPT_X_TLS_CACERTDIR, conf.cacert_dir)
if not conf.referrals:
# this is a global option!
ldap.set_option(ldap.OPT_REFERRALS, 0)
# NOTE: The uri argument is passed directly to the underlying openldap
# library that allows multiple URIs separated by a space for failover.
self._conn = conn = ldap.initialize(' '.join(conf.uris))
try:
conn.protocol_version = conf.ldap_version
conn.network_timeout = conf.bind_timeout
conn.timeout = conf.search_timeout
if conf.sasl == 'GSSAPI':
self._bind_sasl_gssapi()
return
if conf.ssl == 'start_tls' and conf.ldap_version >= 3:
conn.start_tls_s()
if conf.bind_dn and conf.bind_pass:
self._bind(conf.bind_dn, conf.bind_pass)
except ldap.SERVER_DOWN:
raise LDAPConnectionError('Can\'t contact LDAP server.', 3)
Example #7
| Source File: backendLdap.py From ldapcherry with MIT License | 4 votes |
|
def _connect(self):
"""Initialize an ldap client"""
ldap_client = ldap.initialize(self.uri)
ldap.set_option(ldap.OPT_REFERRALS, 0)
ldap.set_option(ldap.OPT_TIMEOUT, self.timeout)
if self.starttls == 'on':
ldap.set_option(ldap.OPT_X_TLS_DEMAND, True)
else:
ldap.set_option(ldap.OPT_X_TLS_DEMAND, False)
# set the CA file if declared and if necessary
if self.ca and self.checkcert == 'on':
# check if the CA file actually exists
if os.path.isfile(self.ca):
ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, self.ca)
else:
raise CaFileDontExist(self.ca)
if self.checkcert == 'off':
# this is dark magic
# remove any of these two lines and it doesn't work
ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
ldap_client.set_option(
ldap.OPT_X_TLS_REQUIRE_CERT,
ldap.OPT_X_TLS_NEVER
)
else:
# this is even darker magic
ldap_client.set_option(
ldap.OPT_X_TLS_REQUIRE_CERT,
ldap.OPT_X_TLS_DEMAND
)
# it doesn't make sense to set it to never
# (== don't check certifate)
# but it only works with this option...
# ... and it checks the certificat
# (I've lost my sanity over this)
ldap.set_option(
ldap.OPT_X_TLS_REQUIRE_CERT,
ldap.OPT_X_TLS_NEVER
)
if self.starttls == 'on':
try:
ldap_client.start_tls_s()
except Exception as e:
self._exception_handler(e)
return ldap_client
Example #8
| Source File: __init__.py From flask-simpleldap with MIT License | 4 votes |
|
def init_app(app):
"""Initialize the `app` for use with this :class:`~LDAP`. This is
called automatically if `app` is passed to :meth:`~LDAP.__init__`.
:param flask.Flask app: the application to configure for use with
this :class:`~LDAP`
"""
app.config.setdefault('LDAP_HOST', 'localhost')
app.config.setdefault('LDAP_PORT', 389)
app.config.setdefault('LDAP_SCHEMA', 'ldap')
app.config.setdefault('LDAP_USERNAME', None)
app.config.setdefault('LDAP_PASSWORD', None)
app.config.setdefault('LDAP_TIMEOUT', 10)
app.config.setdefault('LDAP_USE_SSL', False)
app.config.setdefault('LDAP_USE_TLS', False)
app.config.setdefault('LDAP_REQUIRE_CERT', False)
app.config.setdefault('LDAP_CERT_PATH', '/path/to/cert')
app.config.setdefault('LDAP_BASE_DN', None)
app.config.setdefault('LDAP_OBJECTS_DN', 'distinguishedName')
app.config.setdefault('LDAP_USER_FIELDS', [])
app.config.setdefault('LDAP_USER_OBJECT_FILTER',
'(&(objectclass=Person)(userPrincipalName=%s))')
app.config.setdefault('LDAP_USER_GROUPS_FIELD', 'memberOf')
app.config.setdefault('LDAP_GROUP_FIELDS', [])
app.config.setdefault('LDAP_GROUP_OBJECT_FILTER',
'(&(objectclass=Group)(userPrincipalName=%s))')
app.config.setdefault('LDAP_GROUP_MEMBERS_FIELD', 'member')
app.config.setdefault('LDAP_LOGIN_VIEW', 'login')
app.config.setdefault('LDAP_REALM_NAME', 'LDAP authentication')
app.config.setdefault('LDAP_OPENLDAP', False)
app.config.setdefault('LDAP_GROUP_MEMBER_FILTER', '*')
app.config.setdefault('LDAP_GROUP_MEMBER_FILTER_FIELD', '*')
app.config.setdefault('LDAP_CUSTOM_OPTIONS', None)
if app.config['LDAP_USE_SSL'] or app.config['LDAP_USE_TLS']:
ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT,
ldap.OPT_X_TLS_NEVER)
if app.config['LDAP_REQUIRE_CERT']:
ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT,
ldap.OPT_X_TLS_DEMAND)
ldap.set_option(ldap.OPT_X_TLS_CACERTFILE,
current_app.config['LDAP_CERT_PATH'])
for option in ['USERNAME', 'PASSWORD', 'BASE_DN']:
if app.config['LDAP_{0}'.format(option)] is None:
raise LDAPException('LDAP_{0} cannot be None!'.format(option))
