Changeset 1968

Timestamp:

12/02/04 23:01:58 (20 years ago)

Author:

jalet

Message:

TLS is now supported with the LDAP backend

Location:

pykota/trunk

Files:

• conf/pykota.conf.sample (modified) (2 diffs)
• NEWS (modified) (1 diff)
• pykota/config.py (modified) (2 diffs)
• pykota/storages/ldapstorage.py (modified) (2 diffs)

pykota/trunk/conf/pykota.conf.sample

@@ -81 +81 @@
 #storageuser: cn=notadmin,dc=librelogiciel,dc=com
 #storageuserpw: abc.123
+#
+# TLS support for LDAP
+#
+# ldaptls can be set to either Yes or No
+# the default value when not set is No, meaning that TLS won't be used.
+#ldaptls: No
+#
+# cacert points to the CA Certificate file to use for TLS.
+# Ensure that every user who can launch PyKota commands can read this file.
+# There's NO default value for this directive.
+#cacert /etc/pykota/mycertfile
+#
 #
 # Here we define some helpers to know where 
@@ -92 +104 @@
 #printerbase: ou=Printers,ou=PyKota,dc=librelogiciel,dc=com
 #printerrdn: cn
-#jobbase: ou=Jobs,ou=PyKota,dc=librelogiciel,dc=com
 #userquotabase: ou=UQuotas,ou=PyKota,dc=librelogiciel,dc=com
 #groupquotabase: ou=GQuotas,ou=PyKota,dc=librelogiciel,dc=com
+#jobbase: ou=Jobs,ou=PyKota,dc=librelogiciel,dc=com
 #lastjobbase: ou=LastJobs,ou=PyKota,dc=librelogiciel,dc=com
 #

pykota/trunk/NEWS

@@ -24 +24 @@
     - 1.21alpha11 :
     
+        - TLS is now supported with the LDAP backend. Thanks to Stefan
+          Wold for the patch.
+          
         - edpkota now accepts the -U | --used value command line argument
           to preset the page counters to an initial value. Thanks to

pykota/trunk/pykota/config.py

@@ -22 +22 @@
 #
 # $Log$
+# Revision 1.58  2004/12/02 22:01:58  jalet
+# TLS is now supported with the LDAP backend
+#
 # Revision 1.57  2004/11/22 21:53:38  jalet
 # Added the reject_unknown directive to pykota.conf to reject user/group
@@ -337 +340 @@
             if ldapinfo[field].lower().startswith('attach(') :
                 ldapinfo[field] = ldapinfo[field][7:-1]
+                
+        # should we use TLS, by default (if unset) value is NO        
+        ldapinfo["ldaptls"] = self.isTrue(self.getGlobalOption("ldaptls", ignore=1))
+        ldapinfo["cacert"] = self.getGlobalOption("cacert", ignore=1)
+        if ldapinfo["cacert"] :
+            ldapinfo["cacert"] = ldapinfo["cacert"].strip()
+        if ldapinfo["ldaptls"] :    
+            if not os.access(ldapinfo["cacert"] or "", os.R_OK) :
+                raise PyKotaConfigError, _("Option ldaptls is set, but certificate %s is not readable.") % str(ldapinfo["cacert"])
         return ldapinfo
         

pykota/trunk/pykota/storages/ldapstorage.py

@@ -22 +22 @@
 #
 # $Log$
+# Revision 1.88  2004/12/02 22:01:58  jalet
+# TLS is now supported with the LDAP backend
+#
 # Revision 1.87  2004/12/02 12:34:00  jalet
 # Now automates LDAP reconnections if the server dropped the connection due
@@ -353 +356 @@
             try :
                 self.database = ldap.initialize(self.savedhost) 
+                if self.info["ldaptls"] :
+                    # we want TLS
+                    ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, self.info["cacert"])
+                    self.database.set_option(ldap.OPT_X_TLS, ldap.OPT_X_TLS_DEMAND)
+                    self.database.start_tls_s()
                 self.database.simple_bind_s(self.saveduser, self.savedpasswd)
                 self.basedn = self.saveddbname