# HG changeset patch # User "Lorenzo M. Catucci" # Date 1303838226 -7200 # Node ID 74685a31cc43600646843697dfa8bb2094eb1ea5 # Parent f56533aa1caad7685fa5f8e311c4f5132f168e88 Enable start_tls connection encryption. diff -r f56533aa1caa -r 74685a31cc43 rhodecode/controllers/admin/ldap_settings.py --- a/rhodecode/controllers/admin/ldap_settings.py Tue Apr 26 14:03:00 2011 +0200 +++ b/rhodecode/controllers/admin/ldap_settings.py Tue Apr 26 19:17:06 2011 +0200 @@ -59,6 +59,13 @@ ] tls_reqcert_default = 'DEMAND' + tls_kind_choices = [('PLAIN', _('No encryption'),), + ('LDAPS', _('LDAPS connection'),), + ('START_TLS', _('START_TLS on LDAP connection'),) + ] + + tls_kind_default = 'PLAIN' + @LoginRequired() @HasPermissionAllDecorator('hg.admin') def __before__(self): @@ -66,12 +73,14 @@ c.admin_username = session.get('admin_username') c.search_scope_choices = self.search_scope_choices c.tls_reqcert_choices = self.tls_reqcert_choices + c.tls_kind_choices = self.tls_kind_choices super(LdapSettingsController, self).__before__() def index(self): defaults = SettingsModel().get_ldap_settings() c.search_scope_cur = defaults.get('ldap_search_scope') c.tls_reqcert_cur = defaults.get('ldap_tls_reqcert') + c.tls_kind_cur = defaults.get('ldap_tls_kind') return htmlfill.render( render('admin/ldap/ldap.html'), @@ -84,7 +93,8 @@ settings_model = SettingsModel() _form = LdapSettingsForm([x[0] for x in self.tls_reqcert_choices], - [x[0] for x in self.search_scope_choices])() + [x[0] for x in self.search_scope_choices], + [x[0] for x in self.tls_kind_choices])() try: form_result = _form.to_python(dict(request.POST)) diff -r f56533aa1caa -r 74685a31cc43 rhodecode/lib/auth.py --- a/rhodecode/lib/auth.py Tue Apr 26 14:03:00 2011 +0200 +++ b/rhodecode/lib/auth.py Tue Apr 26 19:17:06 2011 +0200 @@ -190,7 +190,7 @@ 'port': ldap_settings.get('ldap_port'), 'bind_dn': ldap_settings.get('ldap_dn_user'), 'bind_pass': ldap_settings.get('ldap_dn_pass'), - 'use_ldaps': str2bool(ldap_settings.get('ldap_ldaps')), + 'tls_kind': ldap_settings.get('ldap_tls_kind'), 'tls_reqcert': ldap_settings.get('ldap_tls_reqcert'), 'ldap_filter': ldap_settings.get('ldap_filter'), 'search_scope': ldap_settings.get('ldap_search_scope'), diff -r f56533aa1caa -r 74685a31cc43 rhodecode/lib/auth_ldap.py --- a/rhodecode/lib/auth_ldap.py Tue Apr 26 14:03:00 2011 +0200 +++ b/rhodecode/lib/auth_ldap.py Tue Apr 26 19:17:06 2011 +0200 @@ -34,14 +34,19 @@ class AuthLdap(object): def __init__(self, server, base_dn, port=389, bind_dn='', bind_pass='', - use_ldaps=False, tls_reqcert='DEMAND', ldap_version=3, + tls_kind = 'PLAIN', tls_reqcert='DEMAND', ldap_version=3, ldap_filter='(&(objectClass=user)(!(objectClass=computer)))', search_scope='SUBTREE', attr_login='uid'): self.ldap_version = ldap_version - if use_ldaps: + ldap_server_type = 'ldap' + + self.TLS_KIND = tls_kind + + if self.TLS_KIND == 'LDAPS': port = port or 689 - self.LDAP_USE_LDAPS = use_ldaps + ldap_server_type = ldap_server_type + 's' + self.TLS_REQCERT = ldap.__dict__['OPT_X_TLS_' + tls_reqcert] self.LDAP_SERVER_ADDRESS = server self.LDAP_SERVER_PORT = port @@ -50,8 +55,6 @@ self.LDAP_BIND_DN = bind_dn self.LDAP_BIND_PASS = bind_pass - ldap_server_type = 'ldap' - if self.LDAP_USE_LDAPS:ldap_server_type = ldap_server_type + 's' self.LDAP_SERVER = "%s://%s:%s" % (ldap_server_type, self.LDAP_SERVER_ADDRESS, self.LDAP_SERVER_PORT) @@ -85,7 +88,7 @@ ldap.set_option(ldap.OPT_TIMEOUT, 20) ldap.set_option(ldap.OPT_NETWORK_TIMEOUT, 10) ldap.set_option(ldap.OPT_TIMELIMIT, 15) - if self.LDAP_USE_LDAPS: + if self.TLS_KIND != 'PLAIN': ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, self.TLS_REQCERT) server = ldap.initialize(self.LDAP_SERVER) if self.ldap_version == 2: @@ -93,6 +96,9 @@ else: server.protocol = ldap.VERSION3 + if self.TLS_KIND == 'START_TLS': + server.start_tls_s() + if self.LDAP_BIND_DN and self.LDAP_BIND_PASS: server.simple_bind_s(self.LDAP_BIND_DN, self.LDAP_BIND_PASS) diff -r f56533aa1caa -r 74685a31cc43 rhodecode/lib/db_manage.py --- a/rhodecode/lib/db_manage.py Tue Apr 26 14:03:00 2011 +0200 +++ b/rhodecode/lib/db_manage.py Tue Apr 26 19:17:06 2011 +0200 @@ -312,7 +312,7 @@ try: for k, v in [('ldap_active', 'false'), ('ldap_host', ''), - ('ldap_port', '389'), ('ldap_ldaps', 'false'), + ('ldap_port', '389'), ('ldap_tls_kind', 'PLAIN'), ('ldap_tls_reqcert', ''), ('ldap_dn_user', ''), ('ldap_dn_pass', ''), ('ldap_base_dn', ''), ('ldap_filter', ''), ('ldap_search_scope', ''), diff -r f56533aa1caa -r 74685a31cc43 rhodecode/model/forms.py --- a/rhodecode/model/forms.py Tue Apr 26 14:03:00 2011 +0200 +++ b/rhodecode/model/forms.py Tue Apr 26 19:17:06 2011 +0200 @@ -556,7 +556,7 @@ return _DefaultPermissionsForm -def LdapSettingsForm(tls_reqcert_choices, search_scope_choices): +def LdapSettingsForm(tls_reqcert_choices, search_scope_choices, tls_kind_choices): class _LdapSettingsForm(formencode.Schema): allow_extra_fields = True filter_extra_fields = True @@ -564,7 +564,7 @@ ldap_active = StringBoolean(if_missing=False) ldap_host = UnicodeString(strip=True,) ldap_port = Number(strip=True,) - ldap_ldaps = StringBoolean(if_missing=False) + ldap_tls_kind = OneOf(tls_kind_choices) ldap_tls_reqcert = OneOf(tls_reqcert_choices) ldap_dn_user = UnicodeString(strip=True,) ldap_dn_pass = UnicodeString(strip=True,) diff -r f56533aa1caa -r 74685a31cc43 rhodecode/model/settings.py --- a/rhodecode/model/settings.py Tue Apr 26 14:03:00 2011 +0200 +++ b/rhodecode/model/settings.py Tue Apr 26 19:17:06 2011 +0200 @@ -70,7 +70,7 @@ ldap_active ldap_host ldap_port - ldap_ldaps + ldap_tls_kind ldap_tls_reqcert ldap_dn_user ldap_dn_pass diff -r f56533aa1caa -r 74685a31cc43 rhodecode/templates/admin/ldap/ldap.html --- a/rhodecode/templates/admin/ldap/ldap.html Tue Apr 26 14:03:00 2011 +0200 +++ b/rhodecode/templates/admin/ldap/ldap.html Tue Apr 26 19:17:06 2011 +0200 @@ -47,8 +47,8 @@
${h.password('ldap_dn_pass',class_='small')}
-
-
${h.checkbox('ldap_ldaps',True,class_='small')}
+
+
${h.select('ldap_tls_kind',c.tls_kind_cur,c.tls_kind_choices,class_='small')}