Modify

Opened 9 years ago

Last modified 8 years ago

#133 assigned enhancement

tls / ldaps support for ldap plugin

Reported by: bkw@… Owned by: eblot
Priority: normal Component: LdapPlugin
Severity: normal Keywords:
Cc: Trac Release: 0.10

Description

It would be great to have tls or at least ldaps support for the ldap connection. More and more servers only allow ldaps or tls these days. Python-ldap seem to support both.

Attachments (4)

ldapplugin_tls.patch (1.7 KB) - added by tiziano.mueller@… 8 years ago.
Patch (against revision 1254) of the ldap-plugin to add TLS support.
ldapplugin_tls.2.patch (2.4 KB) - added by tizianomueller 8 years ago.
Improved version. SSL works now too.
ldapplugin_tls.3.patch (3.0 KB) - added by tizianomueller 8 years ago.
This changes the call to TracError to include the 'info' part from the exception. Helps a lot to find the reason of connection failures.
ldapplugin_tls_and_groupmember_fulldn.patch (3.6 KB) - added by tizianomueller 8 years ago.
The new patch.

Download all attachments as: .zip

Change History (10)

comment:1 Changed 9 years ago by eblot

I agree, however I never set up a LDAPS server yet (I use a ssh tunnel).

Need to investigate. If you have some proposal, please let me know.

Changed 8 years ago by tiziano.mueller@…

Patch (against revision 1254) of the ldap-plugin to add TLS support.

Changed 8 years ago by tizianomueller

Improved version. SSL works now too.

comment:2 Changed 8 years ago by tizianomueller

  • Trac Release set to 0.8

In the second patch I've removed the host and port variables and replaced them with the uri. It would probably make sense to add the following as well:

            self._ds.x_tls_demand = True
            self._ds.x_tls_require_cert = True

If you now want to use SSL, set uri = ldaps://<YOURHOST> (if the port is not specified, the standard port will be used). If you want TLS instead, set uri = ldap://<YOURHOST> and start_tls = yes.

comment:3 Changed 8 years ago by eblot

  • Status changed from new to assigned
  • Trac Release changed from 0.8 to 0.10

Not sure why the Trac release has been set to 0.8, but it is very unlikely the plugin may work with such an outdated release of Trac.

Changed 8 years ago by tizianomueller

This changes the call to TracError to include the 'info' part from the exception. Helps a lot to find the reason of connection failures.

comment:4 Changed 8 years ago by anonymous

Ok, there's a bug in the patch. That "self._ds.x_tls..." stuff doesn't work. But it seems that when you use Apache+mod_python+mod_authz_ldap, all LDAP parameters are taken from the Apache configuration. Since I switched to mod_fcgid, I couldn't connect anymore because the client-certificates weren't loaded. This patch might break the whole thing on Apache again, since it sets the certs, etc. to empty values if they are not specified. Conditionally setting them would be the solution.

Changed 8 years ago by tizianomueller

The new patch.

comment:5 Changed 8 years ago by eblot

New version of the LdapPlugin (0.5.0) w/ basic TLS connection: [1426]

The patch has not been merged in the plugin, there are a couple of issues to fix; for example, it is not valid to hardcode a path that is OS-specific (such as '/etc/ssl').

comment:6 Changed 8 years ago by gwarf

It's seems that usually a TLS connection is an LDAP start_tls extented request done one the standard port (389) and using the standard ldap protocol (ldap://).

The ldaps:// protocols seems to be reserved for LDAP over SSL on port 636, whithout TLS and start_tls request and it seems to be deprecated. See http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html#1.0 or http://www.openldap.org/faq/data/cache/185.html for some more information.

With the actual state of the extension, it's impossible to connect to a LDAP server requesting a TLS operation and listening only to the standard port/protocol (ie, ldap:// and 389 port and not ldaps:// and 636 port). If you don't want to default to ldap:// protocol when using TLS, if in the trac.ini we could put the host address in the form ldap://hostname or ldaps://hostname it could allow us to easily select what protocol we want.

Add Comment

Modify Ticket

Action
as assigned The owner will remain eblot.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.