ldap: enable check hostname only for python-ldap 3.4+ (#69470)
This commit is contained in:
parent
ffa717479f
commit
66889cb417
|
@ -34,6 +34,8 @@ from passerelle.utils.templates import render_to_string
|
|||
|
||||
from . import forms
|
||||
|
||||
LDAP_HAS_OPT_X_TLS_REQUIRE_SAN = hasattr(ldap, 'OPT_X_TLS_REQUIRE_SAN') # only in python-ldap >= 3.4.0
|
||||
|
||||
SEARCH_OP_SUBSTRING = 'substring'
|
||||
SEARCH_OP_PREFIX = 'prefix'
|
||||
SEARCH_OP_APPROX = 'approx'
|
||||
|
@ -70,6 +72,9 @@ class Resource(BaseResource):
|
|||
verbose_name=_('TLS check hostname'),
|
||||
default=True,
|
||||
blank=True,
|
||||
help_text=None
|
||||
if LDAP_HAS_OPT_X_TLS_REQUIRE_SAN
|
||||
else _('Warning: this option is actually not supported (python-ldap < 3.4)'),
|
||||
)
|
||||
ldap_tls_check_cert = models.BooleanField(
|
||||
verbose_name=_('TLS check certificate'),
|
||||
|
@ -123,10 +128,11 @@ class Resource(BaseResource):
|
|||
conn = ldap.initialize(self.ldap_url)
|
||||
conn.set_option(ldap.OPT_TIMEOUT, 5)
|
||||
conn.set_option(ldap.OPT_NETWORK_TIMEOUT, 5)
|
||||
if self.ldap_tls_check_hostname:
|
||||
conn.set_option(ldap.OPT_X_TLS_REQUIRE_SAN, ldap.OPT_X_TLS_DEMAND)
|
||||
else:
|
||||
conn.set_option(ldap.OPT_X_TLS_REQUIRE_SAN, ldap.OPT_X_TLS_NEVER)
|
||||
if LDAP_HAS_OPT_X_TLS_REQUIRE_SAN:
|
||||
if self.ldap_tls_check_hostname:
|
||||
conn.set_option(ldap.OPT_X_TLS_REQUIRE_SAN, ldap.OPT_X_TLS_DEMAND)
|
||||
else:
|
||||
conn.set_option(ldap.OPT_X_TLS_REQUIRE_SAN, ldap.OPT_X_TLS_NEVER)
|
||||
if self.ldap_tls_check_cert:
|
||||
conn.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_DEMAND)
|
||||
else:
|
||||
|
|
|
@ -41,6 +41,7 @@ def app(app, admin_user):
|
|||
|
||||
def test_add(app, db, cert_content, key_content, resource_class):
|
||||
response = app.get('/manage/ldap/add')
|
||||
assert 'this option is actually not supported' in response.text
|
||||
response.form.set('slug', 'resource')
|
||||
response.form.set('title', 'resource')
|
||||
response.form.set('description', 'resource')
|
||||
|
@ -101,6 +102,11 @@ def test_missing_tls_cert(app, db, cert_content, key_content, resource_class):
|
|||
response = response.form.submit(status=200)
|
||||
|
||||
|
||||
def test_python_ldap_32(app, db):
|
||||
response = app.get('/manage/ldap/add')
|
||||
assert 'Warning: this option is actually not supported (python-ldap < 3.4)' in response.text
|
||||
|
||||
|
||||
EXPORT_JSON = {
|
||||
'resources': [
|
||||
{
|
||||
|
|
|
@ -68,14 +68,12 @@ def test_server_unavailaible(app, resource):
|
|||
'id_attribute': 'uid',
|
||||
},
|
||||
)
|
||||
assert response.json == {
|
||||
'data': [{'disabled': True, 'id': '', 'text': 'Directory server is unavailable'}],
|
||||
'err': 1,
|
||||
'err_class': 'directory-server-unavailable',
|
||||
'err_desc': '{\'result\': -1, \'desc\': "Can\'t contact LDAP server", '
|
||||
"'errno': 107, 'ctrls': [], 'info': 'Transport endpoint is not "
|
||||
"connected'}",
|
||||
}
|
||||
assert response.json['err'] == 1
|
||||
assert response.json['data'] == [{'disabled': True, 'id': '', 'text': 'Directory server is unavailable'}]
|
||||
assert response.json['err_class'] == 'directory-server-unavailable'
|
||||
assert "'info': 'Transport endpoint is not connected'" in response.json['err_desc']
|
||||
assert "'errno': 107" in response.json['err_desc']
|
||||
assert "'desc': \"Can't contact LDAP server\"" in response.json['err_desc']
|
||||
|
||||
|
||||
def test_q(app, resource, ldap_server):
|
||||
|
|
Loading…
Reference in New Issue