From 81ab2a927229365202670424f6b9bf55836da528 Mon Sep 17 00:00:00 2001 From: Ansgar Burchardt Date: Mon, 18 May 2015 20:48:40 +0200 Subject: [PATCH] Re-enable TLS for LDAP CACERTFILE now must point to a CA, using service certificates directly doesn't work. Also use per-connection settings for TLS. Note that the order of set_option calls matters (setting ldap.OPT_X_TLS_NEWCTX first fails)... --- config/debian-security/dak.conf | 2 +- config/debian/dak.conf | 2 +- daklib/dbconn.py | 12 +++--------- 3 files changed, 5 insertions(+), 11 deletions(-) diff --git a/config/debian-security/dak.conf b/config/debian-security/dak.conf index 42aa1e47..901f9ac5 100644 --- a/config/debian-security/dak.conf +++ b/config/debian-security/dak.conf @@ -56,7 +56,7 @@ Import-LDAP-Fingerprints { LDAPDn "ou=users,dc=debian,dc=org"; LDAPServer "db.debian.org"; - // CACertFile "/etc/ssl/certs/db.debian.org.pem"; + CACertFile "/etc/ssl/ca-debian/ca-certificates.crt"; ExtraKeyrings { "/srv/keyring.debian.org/keyrings/removed-keys.pgp"; diff --git a/config/debian/dak.conf b/config/debian/dak.conf index 8a189373..cf0ef40d 100644 --- a/config/debian/dak.conf +++ b/config/debian/dak.conf @@ -99,7 +99,7 @@ Import-LDAP-Fingerprints { LDAPDn "ou=users,dc=debian,dc=org"; LDAPServer "db.debian.org"; - // CACertFile "/etc/ssl/certs/db.debian.org.pem"; + CACertFile "/etc/ssl/ca-debian/ca-certificates.crt"; ExtraKeyrings { "/srv/keyring.debian.org/keyrings/removed-keys.pgp"; diff --git a/daklib/dbconn.py b/daklib/dbconn.py index 3fab31bc..432ddf8a 100644 --- a/daklib/dbconn.py +++ b/daklib/dbconn.py @@ -1232,15 +1232,9 @@ class Keyring(object): l = ldap.open(LDAPServer) if ca_cert_file: - # TODO: This should request a new context and use - # connection-specific options (i.e. "l.set_option(...)") - - # Request a new TLS context. If there was already one, libldap - # would not change the TLS options (like which CAs to trust). - #l.set_option(ldap.OPT_X_TLS_NEWCTX, True) - ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_HARD) - #ldap.set_option(ldap.OPT_X_TLS_CACERTDIR, None) - ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, ca_cert_file) + l.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_HARD) + l.set_option(ldap.OPT_X_TLS_CACERTFILE, ca_cert_file) + l.set_option(ldap.OPT_X_TLS_NEWCTX, True) l.start_tls_s() l.simple_bind_s("","") -- 2.39.5