Re-enable TLS for LDAP

CACERTFILE now must point to a CA, using service certificates directly
doesn't work.

Also use per-connection settings for TLS. Note that the order of
set_option calls matters (setting ldap.OPT_X_TLS_NEWCTX first
fails)...

diff --git a/config/debian-security/dak.conf b/config/debian-security/dak.conf
index 42aa1e478d36967b0395dbdd54ae3721d8db566b..901f9ac54cb833ec248637c59e5ab7739d177f96 100644 (file)
--- a/config/debian-security/dak.conf
+++ b/config/debian-security/dak.conf
@@ -56,7 +56,7 @@ Import-LDAP-Fingerprints
 {
   LDAPDn "ou=users,dc=debian,dc=org";
   LDAPServer "db.debian.org";
-  // CACertFile "/etc/ssl/certs/db.debian.org.pem";
+  CACertFile "/etc/ssl/ca-debian/ca-certificates.crt";
   ExtraKeyrings
   {
     "/srv/keyring.debian.org/keyrings/removed-keys.pgp";

diff --git a/config/debian/dak.conf b/config/debian/dak.conf
index 8a189373662cc2f4271e4223be8d66ecac58b8d4..cf0ef40d8eda4f51b7c5dc75014730b6a2cc74ca 100644 (file)
--- a/config/debian/dak.conf
+++ b/config/debian/dak.conf
@@ -99,7 +99,7 @@ Import-LDAP-Fingerprints
 {
   LDAPDn "ou=users,dc=debian,dc=org";
   LDAPServer "db.debian.org";
-  // CACertFile "/etc/ssl/certs/db.debian.org.pem";
+  CACertFile "/etc/ssl/ca-debian/ca-certificates.crt";
   ExtraKeyrings
   {
     "/srv/keyring.debian.org/keyrings/removed-keys.pgp";

diff --git a/daklib/dbconn.py b/daklib/dbconn.py
index 3fab31bc2204c966f7f80edd47ef44b0ec0cc37e..432ddf8a0cad7c84cf08cb78d467544b4c415845 100644 (file)
--- a/daklib/dbconn.py
+++ b/daklib/dbconn.py
@@ -1232,15 +1232,9 @@ class Keyring(object):
         l = ldap.open(LDAPServer)
 
         if ca_cert_file:
-            # TODO: This should request a new context and use
-            # connection-specific options (i.e. "l.set_option(...)")
-
-            # Request a new TLS context. If there was already one, libldap
-            # would not change the TLS options (like which CAs to trust).
-            #l.set_option(ldap.OPT_X_TLS_NEWCTX, True)
-            ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_HARD)
-            #ldap.set_option(ldap.OPT_X_TLS_CACERTDIR, None)
-            ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, ca_cert_file)
+            l.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_HARD)
+            l.set_option(ldap.OPT_X_TLS_CACERTFILE, ca_cert_file)
+            l.set_option(ldap.OPT_X_TLS_NEWCTX, True)
             l.start_tls_s()
 
         l.simple_bind_s("","")