kallithea Changeset - d0f6bd6190c8

Changeset - d0f6bd6190c8

Parent rev.

Child rev.

[Not reviewed]

default

0 3 0

Mads Kiilerich - 9 years ago 2016-07-28 16:34:49
madski@unity3d.com

auth: change default LDAP to LDAPS on port 636 - insecure authentication is kind of pointless

This will only change the default value for new systems. Existing installations
will keep using whatever value they have in the database.

3 files changed with 5 insertions and 5 deletions:

docs/setup.rst

kallithea/bin/ldap_sync.conf

kallithea/lib/auth_modules/auth_ldap.py

0 comments (0 inline, 0 general)

docs/setup.rst

➞

Show inline comments

@@ @@ -154,25 +154,25 @@ available via PyPI, so you can install i @@
           least the ``openldap`` and ``sasl`` libraries.
 Choose *Admin > Authentication*, click the ``kallithea.lib.auth_modules.auth_ldap`` button
 and then *Save*, to enable the LDAP plugin and configure its settings.
 Here's a typical LDAP setup::
  Connection settings
  Enable LDAP          = checked
  Host                 = host.example.com
  Account              = <account>
  Password             = <password>
- Connection Security  = LDAPS connection
  Connection Security  = LDAPS
  Certificate Checks   = DEMAND
  Search settings
  Base DN              = CN=users,DC=host,DC=example,DC=org
  LDAP Filter          = (&(objectClass=user)(!(objectClass=computer)))
  LDAP Search Scope    = SUBTREE
  Attribute mappings
  Login Attribute      = uid
  First Name Attribute = firstName
  Last Name Attribute  = lastName
  Email Attribute      = mail
@@ @@ -448,25 +448,25 @@ could set the request headers however yo @@
       RequestHeader set X_REMOTE_USER %{X_REMOTE_USER}e
       RequestHeader set X_REMOTE_EMAIL %{X_REMOTE_EMAIL}e
       RequestHeader set X_REMOTE_FIRSTNAME %{X_REMOTE_FIRSTNAME}e
       RequestHeader set X_REMOTE_LASTNAME %{X_REMOTE_LASTNAME}e
     </Location>
 .. code-block:: python
     from mod_python import apache
     import ldap
-    LDAP_SERVER = "ldap://server.mydomain.com:389"
+    LDAP_SERVER = "ldaps://server.mydomain.com:636"
     LDAP_USER = ""
     LDAP_PASS = ""
     LDAP_ROOT = "dc=mydomain,dc=com"
     LDAP_FILTER = "sAMAccountName=%s"
     LDAP_ATTR_LIST = ['sAMAccountName','givenname','sn','mail']
     def fixuphandler(req):
         if req.user is None:
             # no user to search for
             return apache.OK
         else:
             try:

kallithea/bin/ldap_sync.conf

➞

Show inline comments

 [default]
 api_url = http://kallithea.example.com/_admin/api
 api_user = admin
 api_key = XXXXXXXXXXXX
-ldap_uri = ldap://ldap.example.com:389
+ldap_uri = ldaps://ldap.example.com:636
 ldap_user = cn=kallithea,dc=example,dc=com
 ldap_key = XXXXXXXXX
 base_dn = dc=example,dc=com
 sync_users = True

kallithea/lib/auth_modules/auth_ldap.py

➞

Show inline comments

@@ @@ -41,25 +41,25 @@ log = logging.getLogger(__name__) @@
 try:
     import ldap
     import ldap.filter
 except ImportError:
     # means that python-ldap is not installed
     ldap = None
 class AuthLdap(object):
     def __init__(self, server, base_dn, port=None, bind_dn='', bind_pass='',
-                 tls_kind='PLAIN', tls_reqcert='DEMAND', cacertdir=None, ldap_version=3,
+                 tls_kind='LDAPS', tls_reqcert='DEMAND', cacertdir=None, ldap_version=3,
                  ldap_filter='(&(objectClass=user)(!(objectClass=computer)))',
                  search_scope='SUBTREE', attr_login='uid'):
         if ldap is None:
             raise LdapImportError
         self.ldap_version = ldap_version
         self.TLS_KIND = tls_kind
         OPT_X_TLS_DEMAND = 2
         self.TLS_REQCERT = getattr(ldap, 'OPT_X_TLS_%s' % tls_reqcert,
                                    OPT_X_TLS_DEMAND)
         self.cacertdir = cacertdir
@@ @@ -206,25 +206,25 @@ class KallitheaAuthPlugin(auth_modules.K @@
                 "name": "dn_pass",
                 "validator": self.validators.UnicodeString(strip=True),
                 "type": "password",
                 "description": "Password to connect to LDAP",
                 "formname": "Password"
             },
+            {
                 "name": "tls_kind",
                 "validator": self.validators.OneOf(self._tls_kind_values),
                 "type": "select",
                 "values": self._tls_kind_values,
                 "description": "TLS Type",
-                "default": 'PLAIN',
+                "default": 'LDAPS',
                 "formname": "Connection Security"
             },
+            {
                 "name": "tls_reqcert",
                 "validator": self.validators.OneOf(self._tls_reqcert_values),
                 "type": "select",
                 "values": self._tls_reqcert_values,
                 "description": "Require Cert over TLS?",
                 "formname": "Certificate Checks"
             },
+            {
                 "name": "cacertdir",

0 comments (0 inline, 0 general)