From 99475d30981c1952e61c5390cd243afff7888388 Mon Sep 17 00:00:00 2001 From: Ansgar Burchardt Date: Sun, 21 Jul 2013 21:59:45 +0200 Subject: [PATCH] Add option to specify CAs to trust for LDAP connection over TLS An explicit option makes us not rely on ldap.conf to be setup correctly for dak's use of LDAP. --- config/debian-security/dak.conf | 1 + config/debian/dak.conf | 1 + daklib/dbconn.py | 11 +++++++++++ 3 files changed, 13 insertions(+) diff --git a/config/debian-security/dak.conf b/config/debian-security/dak.conf index f6459d5c..b1f8c4b8 100644 --- a/config/debian-security/dak.conf +++ b/config/debian-security/dak.conf @@ -56,6 +56,7 @@ Import-LDAP-Fingerprints { LDAPDn "ou=users,dc=debian,dc=org"; LDAPServer "db.debian.org"; + CACertFile "/etc/ssl/certs/spi-cacert-2008.pem"; ExtraKeyrings { "/srv/keyring.debian.org/keyrings/removed-keys.pgp"; diff --git a/config/debian/dak.conf b/config/debian/dak.conf index c06cd674..2954c595 100644 --- a/config/debian/dak.conf +++ b/config/debian/dak.conf @@ -97,6 +97,7 @@ Import-LDAP-Fingerprints { LDAPDn "ou=users,dc=debian,dc=org"; LDAPServer "db.debian.org"; + CACertFile "/etc/ssl/certs/spi-cacert-2008.pem"; ExtraKeyrings { "/srv/keyring.debian.org/keyrings/removed-keys.pgp"; diff --git a/daklib/dbconn.py b/daklib/dbconn.py index 413a0fdd..a90ad102 100644 --- a/daklib/dbconn.py +++ b/daklib/dbconn.py @@ -1250,8 +1250,19 @@ class Keyring(object): LDAPDn = cnf["Import-LDAP-Fingerprints::LDAPDn"] LDAPServer = cnf["Import-LDAP-Fingerprints::LDAPServer"] + ca_cert_file = cnf.get('Import-LDAP-Fingerprints::CACertFile') l = ldap.open(LDAPServer) + + if ca_cert_file: + # Request a new TLS context. If there was already one, libldap + # would not change the TLS options (like which CAs to trust). + l.set_option(ldap.OPT_X_TLS_NEWCTX, True) + l.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_HARD) + l.set_option(ldap.OPT_X_TLS_CACERTDIR, None) + l.set_option(ldap.OPT_X_TLS_CACERTFILE, ca_cert_file) + l.start_tls_s() + l.simple_bind_s("","") Attrs = l.search_s(LDAPDn, ldap.SCOPE_ONELEVEL, "(&(keyfingerprint=*)(gidnumber=%s))" % (cnf["Import-Users-From-Passwd::ValidGID"]), -- 2.39.5