[dak/master] Add option to specify CAs to trust for LDAP connection over TLS

To: debian-dak@lists.debian.org,dak@commit.ganneff.de
Subject: [dak/master] Add option to specify CAs to trust for LDAP connection over TLS
From: Ansgar Burchardt <ansgar@debian.org>
Date: Sun, 21 Jul 2013 20:08:32 +0000
Message-id: <[🔎] E1V0zvk-00009q-Lj@franck.debian.org>

An explicit option makes us not rely on ldap.conf to be setup correctly
for dak's use of LDAP.
---
 config/debian-security/dak.conf |    1 +
 config/debian/dak.conf          |    1 +
 daklib/dbconn.py                |   11 +++++++++++
 3 files changed, 13 insertions(+)

diff --git a/config/debian-security/dak.conf b/config/debian-security/dak.conf
index f6459d5..b1f8c4b 100644
--- a/config/debian-security/dak.conf
+++ b/config/debian-security/dak.conf
@@ -56,6 +56,7 @@ Import-LDAP-Fingerprints
 {
   LDAPDn "ou=users,dc=debian,dc=org";
   LDAPServer "db.debian.org";
+  CACertFile "/etc/ssl/certs/spi-cacert-2008.pem";
   ExtraKeyrings
   {
     "/srv/keyring.debian.org/keyrings/removed-keys.pgp";
diff --git a/config/debian/dak.conf b/config/debian/dak.conf
index c06cd67..2954c59 100644
--- a/config/debian/dak.conf
+++ b/config/debian/dak.conf
@@ -97,6 +97,7 @@ Import-LDAP-Fingerprints
 {
   LDAPDn "ou=users,dc=debian,dc=org";
   LDAPServer "db.debian.org";
+  CACertFile "/etc/ssl/certs/spi-cacert-2008.pem";
   ExtraKeyrings
   {
     "/srv/keyring.debian.org/keyrings/removed-keys.pgp";
diff --git a/daklib/dbconn.py b/daklib/dbconn.py
index 413a0fd..a90ad10 100644
--- a/daklib/dbconn.py
+++ b/daklib/dbconn.py
@@ -1250,8 +1250,19 @@ class Keyring(object):
 
         LDAPDn = cnf["Import-LDAP-Fingerprints::LDAPDn"]
         LDAPServer = cnf["Import-LDAP-Fingerprints::LDAPServer"]
+        ca_cert_file = cnf.get('Import-LDAP-Fingerprints::CACertFile')
 
         l = ldap.open(LDAPServer)
+
+        if ca_cert_file:
+            # Request a new TLS context. If there was already one, libldap
+            # would not change the TLS options (like which CAs to trust).
+            l.set_option(ldap.OPT_X_TLS_NEWCTX, True)
+            l.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_HARD)
+            l.set_option(ldap.OPT_X_TLS_CACERTDIR, None)
+            l.set_option(ldap.OPT_X_TLS_CACERTFILE, ca_cert_file)
+            l.start_tls_s()
+
         l.simple_bind_s("","")
         Attrs = l.search_s(LDAPDn, ldap.SCOPE_ONELEVEL,
                "(&(keyfingerprint=*)(gidnumber=%s))" % (cnf["Import-Users-From-Passwd::ValidGID"]),
-- 
1.7.10.4

Reply to:

Prev by Date: [dak/master] Remove dak/import_ldap_fingerprints.py
Next by Date: [dak/master] Remove obsolete SQL functions.
Previous by thread: [dak/master] Remove dak/import_ldap_fingerprints.py
Next by thread: [dak/master] Remove obsolete SQL functions.
Index(es):
- Date
- Thread