no TLS support

Bug #489557 reported by Maciej Kazulak
This bug affects 1 person
Affects Status Importance Assigned to Milestone
repoze.who LDAP plugin
Fix Committed
Gustavo Narea

Bug Description


If i'm correct it is not possible to use TLS connections in the current version.

The make_ldap_connection function uses only the ldap_connection config setting which is supposed to be a RFC4156 compilant URL. But RFC4156 does not even mention TLS. According to python-ldap documentation to enable TLS:

>>> import ldap
>>> con = ldap.initialize('ldap://localhost')
>>> con.set_option(ldap.OPT_X_TLS_DEMAND, 1)

The default in python-ldap seems to be not to use TLS (even if it might be availible). There should probably be a config setting start_tls or so with possible values of at least: never (default for compatibility?), allow, demand. Another cool touch would be server certificate verification.

I might be following with a short patch.

Revision history for this message
Maciej Kazulak (kazulakm) wrote :

Ok, sorry for that. I might have misread the docs.

"By passing an existing LDAPObject, you're free to use the LDAP authentication method you want, the way you want."

Still doesn't that mean i have to configure everything in python code to have TLS? Maybe a config setting should be provided for convienice then... No one uses unencrypted connections in production and for whatever reasons SSL is not always enabled.

Revision history for this message
Gustavo Narea (gnarea) wrote :

This has been fixed in the following branch, which is going to be released this week:

Changed in repoze.who.plugins.ldap:
status: New → Fix Committed
assignee: nobody → Gustavo Narea (gnarea)
importance: Undecided → High
milestone: none → 1.1
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.