X-Git-Url: https://git.decadent.org.uk/gitweb/?a=blobdiff_plain;f=daklib%2Fdbconn.py;h=a90ad10229d052ad83a6f870de5b3e32bc751db9;hb=99475d30981c1952e61c5390cd243afff7888388;hp=413a0fdd1fcf5fc33a96c969f850bf17d9fdf1d7;hpb=990892400a26f05af8bc0798302b50ed23333764;p=dak.git

diff --git a/daklib/dbconn.py b/daklib/dbconn.py
index 413a0fdd..a90ad102 100644
--- a/daklib/dbconn.py
+++ b/daklib/dbconn.py
@@ -1250,8 +1250,19 @@ class Keyring(object):
 
         LDAPDn = cnf["Import-LDAP-Fingerprints::LDAPDn"]
         LDAPServer = cnf["Import-LDAP-Fingerprints::LDAPServer"]
+        ca_cert_file = cnf.get('Import-LDAP-Fingerprints::CACertFile')
 
         l = ldap.open(LDAPServer)
+
+        if ca_cert_file:
+            # Request a new TLS context. If there was already one, libldap
+            # would not change the TLS options (like which CAs to trust).
+            l.set_option(ldap.OPT_X_TLS_NEWCTX, True)
+            l.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_HARD)
+            l.set_option(ldap.OPT_X_TLS_CACERTDIR, None)
+            l.set_option(ldap.OPT_X_TLS_CACERTFILE, ca_cert_file)
+            l.start_tls_s()
+
         l.simple_bind_s("","")
         Attrs = l.search_s(LDAPDn, ldap.SCOPE_ONELEVEL,
                "(&(keyfingerprint=*)(gidnumber=%s))" % (cnf["Import-Users-From-Passwd::ValidGID"]),