Merge pull request #73 from metbosch/master

Improve TLS connections support

src/node/ext/ldap/base.py

@@ -103,6 +103,9 @@ def __init__(self, props=None):
         self._start_tls = props.start_tls
         self._ignore_cert = props.ignore_cert
         self._tls_cacert_file = props.tls_cacertfile
+        self._tls_cacert_dir = props.tls_cacertdir
+        self._tls_clcert_file = props.tls_clcertfile
+        self._tls_clkey_file = props.tls_clkeyfile
         self._retry_max = props.retry_max
         self._retry_delay = props.retry_delay
         # backward compatibility:
@@ -118,6 +121,13 @@ def bind(self):
             ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
         elif self._tls_cacert_file:  # pragma: no cover
             ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, self._tls_cacert_file)
+        elif self._tls_cacert_dir:  # pragma: no cover
+            ldap.set_option(ldap.OPT_X_TLS_CACERTDIR, self._tls_cacert_dir)
+        if self._tls_clcert_file and self._tls_clkey_file:  # pragma: no cover
+            ldap.set_option(ldap.OPT_X_TLS_CERTFILE, self._tls_clcert_file)
+            ldap.set_option(ldap.OPT_X_TLS_KEYFILE, self._tls_clkey_file)
+        elif self._tls_clcert_file or self._tls_clkey_file:  # pragma: no cover
+            logger.exception("Only client certificate or key have been provided.")
         self._con = ldap.ldapobject.ReconnectLDAPObject(
             self._uri,
             bytes_mode=False,

src/node/ext/ldap/interfaces.py

@@ -39,14 +39,11 @@ class ILDAPProps(Interface):
 
     tls_cacertfile = Attribute('Name of CA Cert file')
 
-    # XXX
-    # tls_cacertdir = Attribute('Path to CA Cert directory')
+    tls_cacertdir = Attribute('Path to CA Cert directory')
 
-    # XXX
-    # tls_clcertfile = Attribute('Name of CL Cert file')
+    tls_clcertfile = Attribute('Name of client Cert file')
 
-    # XXX
-    # tls_clkeyfile = Attribute('Path to CL key file')
+    tls_clkeyfile = Attribute('Path to client key file')
 
     retry_max = Attribute('Retry count')
 

src/node/ext/ldap/properties.py

@@ -48,9 +48,9 @@ def __init__(
         start_tls=0,
         ignore_cert=0,
         tls_cacertfile=None,
-        # tls_cacertdir=None,
-        # tls_clcertfile=None,
-        # tls_clkeyfile=None,
+        tls_cacertdir=None,
+        tls_clcertfile=None,
+        tls_clkeyfile=None,
         retry_max=1,
         retry_delay=10.0,
         multivalued_attributes=MULTIVALUED_DEFAULTS,
@@ -89,9 +89,11 @@ def __init__(
             needed if the CA is not in the default CA keyring (i.e. with
             self-signed certificates). Under Windows its possible that
             python-ldap lib does recognize the system keyring.
-        :param tls_cacertdir: Not yet
-        :param tls_clcertfile: Not yet
-        :param tls_clkeyfile: Not yet
+        :param tls_cacertdir: Provide a directory with CA Certificates.
+        :param tls_clcertfile: Provide a specific client certificate file to be
+            used for client authentication. Requires tls_clkeyfile to be set.
+        :param tls_clkeyfile: Provide a specific client key file to be used for
+            client authentication. Requires tls_clcertfile to be set.
         :param retry_max: Maximum count of reconnect trials. Value has to be >= 1
         :param retry_delay: Time span to wait between two reconnect trials.
         :param multivalued_attributes: Set of attributes names considered as
@@ -120,9 +122,9 @@ def __init__(
         self.start_tls = start_tls
         self.ignore_cert = ignore_cert
         self.tls_cacertfile = tls_cacertfile
-        # self.tls_cacertdir = tls_cacertdir
-        # self.tls_clcertfile = tls_clcertfile
-        # self.tls_clkeyfile = tls_clkeyfile
+        self.tls_cacertdir = tls_cacertdir
+        self.tls_clcertfile = tls_clcertfile
+        self.tls_clkeyfile = tls_clkeyfile
         self.retry_max = retry_max
         self.retry_delay = retry_delay
         self.multivalued_attributes = multivalued_attributes

src/node/ext/ldap/session.py

@@ -68,6 +68,15 @@ def authenticate(self, dn, pw):
         # Let's bypass connector/communicator until they are sorted out
         if self._props.ignore_cert:  # pragma: no cover
             ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
+        elif self._props.tls_cacertfile:  # pragma: no cover
+            ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, self._props.tls_cacertfile)
+        elif self._props.tls_cacertdir:  # pragma: no cover
+            ldap.set_option(ldap.OPT_X_TLS_CACERTDIR, self._props.tls_cacertdir)
+        if self._props.tls_clcertfile and self._props.tls_clkeyfile:  # pragma: no cover
+            ldap.set_option(ldap.OPT_X_TLS_CERTFILE, self._props.tls_clcertfile)
+            ldap.set_option(ldap.OPT_X_TLS_KEYFILE, self._props.tls_clkeyfile)
+        elif self._props.tls_clcertfile or self._props.tls_clkeyfile:  # pragma: no cover
+            logger.exception("Only client certificate or key have been provided.")
         con = ldap.initialize(
             self._props.uri,
             bytes_mode=False,
@@ -77,6 +86,8 @@ def authenticate(self, dn, pw):
         # Directory More info: https://www.python-ldap.org/faq.html#usage
         con.set_option(ldap.OPT_REFERRALS, 0)
         try:
+            if self._props.start_tls:
+                con.start_tls_s()
             con.simple_bind_s(dn, pw)
         except (ldap.INVALID_CREDENTIALS, ldap.UNWILLING_TO_PERFORM):
             # The UNWILLING_TO_PERFORM event might be thrown, if you query a

src/node/ext/ldap/tests/test_properties.py

@@ -47,6 +47,9 @@ def test_LDAPProps(self):
         self.assertEqual(props.start_tls, 0)
         self.assertEqual(props.ignore_cert, 0)
         self.assertEqual(props.tls_cacertfile, None)
+        self.assertEqual(props.tls_cacertdir, None)
+        self.assertEqual(props.tls_clcertfile, None)
+        self.assertEqual(props.tls_clkeyfile, None)
         self.assertEqual(props.retry_max, 1)
         self.assertEqual(props.retry_delay, 10.)
         self.assertEqual(props.multivalued_attributes, MULTIVALUED_DEFAULTS)