diff --git a/passerelle/apps/ldap/models.py b/passerelle/apps/ldap/models.py index 82631703..28fef1d7 100644 --- a/passerelle/apps/ldap/models.py +++ b/passerelle/apps/ldap/models.py @@ -34,6 +34,8 @@ from passerelle.utils.templates import render_to_string from . import forms +LDAP_HAS_OPT_X_TLS_REQUIRE_SAN = hasattr(ldap, 'OPT_X_TLS_REQUIRE_SAN') # only in python-ldap >= 3.4.0 + SEARCH_OP_SUBSTRING = 'substring' SEARCH_OP_PREFIX = 'prefix' SEARCH_OP_APPROX = 'approx' @@ -70,6 +72,9 @@ class Resource(BaseResource): verbose_name=_('TLS check hostname'), default=True, blank=True, + help_text=None + if LDAP_HAS_OPT_X_TLS_REQUIRE_SAN + else _('Warning: this option is actually not supported (python-ldap < 3.4)'), ) ldap_tls_check_cert = models.BooleanField( verbose_name=_('TLS check certificate'), @@ -123,10 +128,11 @@ class Resource(BaseResource): conn = ldap.initialize(self.ldap_url) conn.set_option(ldap.OPT_TIMEOUT, 5) conn.set_option(ldap.OPT_NETWORK_TIMEOUT, 5) - if self.ldap_tls_check_hostname: - conn.set_option(ldap.OPT_X_TLS_REQUIRE_SAN, ldap.OPT_X_TLS_DEMAND) - else: - conn.set_option(ldap.OPT_X_TLS_REQUIRE_SAN, ldap.OPT_X_TLS_NEVER) + if LDAP_HAS_OPT_X_TLS_REQUIRE_SAN: + if self.ldap_tls_check_hostname: + conn.set_option(ldap.OPT_X_TLS_REQUIRE_SAN, ldap.OPT_X_TLS_DEMAND) + else: + conn.set_option(ldap.OPT_X_TLS_REQUIRE_SAN, ldap.OPT_X_TLS_NEVER) if self.ldap_tls_check_cert: conn.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_DEMAND) else: diff --git a/tests/ldap/test_manager.py b/tests/ldap/test_manager.py index 7a8aa950..48dfc4ae 100644 --- a/tests/ldap/test_manager.py +++ b/tests/ldap/test_manager.py @@ -41,6 +41,7 @@ def app(app, admin_user): def test_add(app, db, cert_content, key_content, resource_class): response = app.get('/manage/ldap/add') + assert 'this option is actually not supported' in response.text response.form.set('slug', 'resource') response.form.set('title', 'resource') response.form.set('description', 'resource') @@ -101,6 +102,11 @@ def test_missing_tls_cert(app, db, cert_content, key_content, resource_class): response = response.form.submit(status=200) +def test_python_ldap_32(app, db): + response = app.get('/manage/ldap/add') + assert 'Warning: this option is actually not supported (python-ldap < 3.4)' in response.text + + EXPORT_JSON = { 'resources': [ { diff --git a/tests/ldap/test_search_endpoint.py b/tests/ldap/test_search_endpoint.py index 2f8dbd4c..36f22f31 100644 --- a/tests/ldap/test_search_endpoint.py +++ b/tests/ldap/test_search_endpoint.py @@ -68,14 +68,12 @@ def test_server_unavailaible(app, resource): 'id_attribute': 'uid', }, ) - assert response.json == { - 'data': [{'disabled': True, 'id': '', 'text': 'Directory server is unavailable'}], - 'err': 1, - 'err_class': 'directory-server-unavailable', - 'err_desc': '{\'result\': -1, \'desc\': "Can\'t contact LDAP server", ' - "'errno': 107, 'ctrls': [], 'info': 'Transport endpoint is not " - "connected'}", - } + assert response.json['err'] == 1 + assert response.json['data'] == [{'disabled': True, 'id': '', 'text': 'Directory server is unavailable'}] + assert response.json['err_class'] == 'directory-server-unavailable' + assert "'info': 'Transport endpoint is not connected'" in response.json['err_desc'] + assert "'errno': 107" in response.json['err_desc'] + assert "'desc': \"Can't contact LDAP server\"" in response.json['err_desc'] def test_q(app, resource, ldap_server): diff --git a/tox.ini b/tox.ini index 5f4645f8..dc77d43c 100644 --- a/tox.ini +++ b/tox.ini @@ -47,6 +47,7 @@ deps = zeep<3.3 codestyle: pre-commit ldaptools + python-ldap<=3.2 # align with Debian <= 11 (buster, bullseye) commands = ./get_wcs.sh py.test {posargs: --numprocesses {env:NUMPROCESSES:1} --dist loadfile {env:FAST:} {env:COVERAGE:} {env:JUNIT:} tests/}