Modify

Opened 11 years ago

Closed 3 months ago

#133 closed enhancement (duplicate)

tls / ldaps support for ldap plugin

Reported by: bkw@… Owned by: Emmanuel Blot
Priority: normal Component: LdapPlugin
Severity: normal Keywords:
Cc: Trac Release: 0.10

Description

It would be great to have tls or at least ldaps support for the ldap connection. More and more servers only allow ldaps or tls these days. Python-ldap seem to support both.

Attachments (5)

ldapplugin_tls.patch (1.7 KB) - added by Tiziano Müller 11 years ago.
Patch (against revision 1254) of the ldap-plugin to add TLS support.
ldapplugin_tls.2.patch (2.4 KB) - added by Tiziano Müller 11 years ago.
Improved version. SSL works now too.
ldapplugin_tls.3.patch (3.0 KB) - added by Tiziano Müller 11 years ago.
This changes the call to TracError to include the 'info' part from the exception. Helps a lot to find the reason of connection failures.
ldapplugin_tls_and_groupmember_fulldn.patch (3.6 KB) - added by Tiziano Müller 11 years ago.
The new patch.
ldapplugin_start_tls.patch (1.9 KB) - added by Joachim Mairböck 3 months ago.
This adds back support for the start_tls extension. The new option is called use_start_tls to be consistent with the existing use_tls option.

Download all attachments as: .zip

Change History (13)

comment:1 Changed 11 years ago by Emmanuel Blot

I agree, however I never set up a LDAPS server yet (I use a ssh tunnel).

Need to investigate. If you have some proposal, please let me know.

Changed 11 years ago by Tiziano Müller

Attachment: ldapplugin_tls.patch added

Patch (against revision 1254) of the ldap-plugin to add TLS support.

Changed 11 years ago by Tiziano Müller

Attachment: ldapplugin_tls.2.patch added

Improved version. SSL works now too.

comment:2 Changed 11 years ago by Tiziano Müller

Trac Release: 0.8

In the second patch I've removed the host and port variables and replaced them with the uri. It would probably make sense to add the following as well:

            self._ds.x_tls_demand = True
            self._ds.x_tls_require_cert = True

If you now want to use SSL, set uri = ldaps://<YOURHOST> (if the port is not specified, the standard port will be used). If you want TLS instead, set uri = ldap://<YOURHOST> and start_tls = yes.

comment:3 Changed 11 years ago by Emmanuel Blot

Status: newassigned
Trac Release: 0.80.10

Not sure why the Trac release has been set to 0.8, but it is very unlikely the plugin may work with such an outdated release of Trac.

Changed 11 years ago by Tiziano Müller

Attachment: ldapplugin_tls.3.patch added

This changes the call to TracError to include the 'info' part from the exception. Helps a lot to find the reason of connection failures.

comment:4 Changed 11 years ago by anonymous

Ok, there's a bug in the patch. That "self._ds.x_tls..." stuff doesn't work. But it seems that when you use Apache+mod_python+mod_authz_ldap, all LDAP parameters are taken from the Apache configuration. Since I switched to mod_fcgid, I couldn't connect anymore because the client-certificates weren't loaded. This patch might break the whole thing on Apache again, since it sets the certs, etc. to empty values if they are not specified. Conditionally setting them would be the solution.

Changed 11 years ago by Tiziano Müller

The new patch.

comment:5 Changed 10 years ago by Emmanuel Blot

New version of the LdapPlugin (0.5.0) w/ basic TLS connection: [1426]

The patch has not been merged in the plugin, there are a couple of issues to fix; for example, it is not valid to hardcode a path that is OS-specific (such as '/etc/ssl').

comment:6 Changed 10 years ago by Baptiste Grenier

It's seems that usually a TLS connection is an LDAP start_tls extented request done one the standard port (389) and using the standard ldap protocol (ldap://).

The ldaps:// protocols seems to be reserved for LDAP over SSL on port 636, whithout TLS and start_tls request and it seems to be deprecated. See http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html#1.0 or http://www.openldap.org/faq/data/cache/185.html for some more information.

With the actual state of the extension, it's impossible to connect to a LDAP server requesting a TLS operation and listening only to the standard port/protocol (ie, ldap:// and 389 port and not ldaps:// and 636 port). If you don't want to default to ldap:// protocol when using TLS, if in the trac.ini we could put the host address in the form ldap://hostname or ldaps://hostname it could allow us to easily select what protocol we want.

Changed 3 months ago by Joachim Mairböck

Attachment: ldapplugin_start_tls.patch added

This adds back support for the start_tls extension. The new option is called use_start_tls to be consistent with the existing use_tls option.

comment:7 Changed 3 months ago by Joachim Mairböck

I have just seen that #3142 proposes roughly the same changes as my patch, and it seems that their implementation is better than mine. I have not tested it, however.

It seems that this ticket could be closed, maybe even as a duplicate in favor of #3142.

comment:8 Changed 3 months ago by Ryan J Ollos

Resolution: duplicate
Status: assignedclosed

Closing as a duplicate of #3142.

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Emmanuel Blot.
The resolution will be deleted. Next status will be 'reopened'.

Add Comment


E-mail address and name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.