From 99475d30981c1952e61c5390cd243afff7888388 Mon Sep 17 00:00:00 2001
From: Ansgar Burchardt <ansgar@debian.org>
Date: Sun, 21 Jul 2013 21:59:45 +0200
Subject: [PATCH] Add option to specify CAs to trust for LDAP connection over
 TLS

An explicit option makes us not rely on ldap.conf to be setup correctly
for dak's use of LDAP.
---
 config/debian-security/dak.conf |  1 +
 config/debian/dak.conf          |  1 +
 daklib/dbconn.py                | 11 +++++++++++
 3 files changed, 13 insertions(+)

diff --git a/config/debian-security/dak.conf b/config/debian-security/dak.conf
index f6459d5c..b1f8c4b8 100644
--- a/config/debian-security/dak.conf
+++ b/config/debian-security/dak.conf
@@ -56,6 +56,7 @@ Import-LDAP-Fingerprints
 {
   LDAPDn "ou=users,dc=debian,dc=org";
   LDAPServer "db.debian.org";
+  CACertFile "/etc/ssl/certs/spi-cacert-2008.pem";
   ExtraKeyrings
   {
     "/srv/keyring.debian.org/keyrings/removed-keys.pgp";
diff --git a/config/debian/dak.conf b/config/debian/dak.conf
index c06cd674..2954c595 100644
--- a/config/debian/dak.conf
+++ b/config/debian/dak.conf
@@ -97,6 +97,7 @@ Import-LDAP-Fingerprints
 {
   LDAPDn "ou=users,dc=debian,dc=org";
   LDAPServer "db.debian.org";
+  CACertFile "/etc/ssl/certs/spi-cacert-2008.pem";
   ExtraKeyrings
   {
     "/srv/keyring.debian.org/keyrings/removed-keys.pgp";
diff --git a/daklib/dbconn.py b/daklib/dbconn.py
index 413a0fdd..a90ad102 100644
--- a/daklib/dbconn.py
+++ b/daklib/dbconn.py
@@ -1250,8 +1250,19 @@ class Keyring(object):
 
         LDAPDn = cnf["Import-LDAP-Fingerprints::LDAPDn"]
         LDAPServer = cnf["Import-LDAP-Fingerprints::LDAPServer"]
+        ca_cert_file = cnf.get('Import-LDAP-Fingerprints::CACertFile')
 
         l = ldap.open(LDAPServer)
+
+        if ca_cert_file:
+            # Request a new TLS context. If there was already one, libldap
+            # would not change the TLS options (like which CAs to trust).
+            l.set_option(ldap.OPT_X_TLS_NEWCTX, True)
+            l.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_HARD)
+            l.set_option(ldap.OPT_X_TLS_CACERTDIR, None)
+            l.set_option(ldap.OPT_X_TLS_CACERTFILE, ca_cert_file)
+            l.start_tls_s()
+
         l.simple_bind_s("","")
         Attrs = l.search_s(LDAPDn, ldap.SCOPE_ONELEVEL,
                "(&(keyfingerprint=*)(gidnumber=%s))" % (cnf["Import-Users-From-Passwd::ValidGID"]),
-- 
2.39.2