[dak/master] Add option to specify CAs to trust for LDAP connection over TLS
An explicit option makes us not rely on ldap.conf to be setup correctly
for dak's use of LDAP.
---
config/debian-security/dak.conf | 1 +
config/debian/dak.conf | 1 +
daklib/dbconn.py | 11 +++++++++++
3 files changed, 13 insertions(+)
diff --git a/config/debian-security/dak.conf b/config/debian-security/dak.conf
index f6459d5..b1f8c4b 100644
--- a/config/debian-security/dak.conf
+++ b/config/debian-security/dak.conf
@@ -56,6 +56,7 @@ Import-LDAP-Fingerprints
{
LDAPDn "ou=users,dc=debian,dc=org";
LDAPServer "db.debian.org";
+ CACertFile "/etc/ssl/certs/spi-cacert-2008.pem";
ExtraKeyrings
{
"/srv/keyring.debian.org/keyrings/removed-keys.pgp";
diff --git a/config/debian/dak.conf b/config/debian/dak.conf
index c06cd67..2954c59 100644
--- a/config/debian/dak.conf
+++ b/config/debian/dak.conf
@@ -97,6 +97,7 @@ Import-LDAP-Fingerprints
{
LDAPDn "ou=users,dc=debian,dc=org";
LDAPServer "db.debian.org";
+ CACertFile "/etc/ssl/certs/spi-cacert-2008.pem";
ExtraKeyrings
{
"/srv/keyring.debian.org/keyrings/removed-keys.pgp";
diff --git a/daklib/dbconn.py b/daklib/dbconn.py
index 413a0fd..a90ad10 100644
--- a/daklib/dbconn.py
+++ b/daklib/dbconn.py
@@ -1250,8 +1250,19 @@ class Keyring(object):
LDAPDn = cnf["Import-LDAP-Fingerprints::LDAPDn"]
LDAPServer = cnf["Import-LDAP-Fingerprints::LDAPServer"]
+ ca_cert_file = cnf.get('Import-LDAP-Fingerprints::CACertFile')
l = ldap.open(LDAPServer)
+
+ if ca_cert_file:
+ # Request a new TLS context. If there was already one, libldap
+ # would not change the TLS options (like which CAs to trust).
+ l.set_option(ldap.OPT_X_TLS_NEWCTX, True)
+ l.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_HARD)
+ l.set_option(ldap.OPT_X_TLS_CACERTDIR, None)
+ l.set_option(ldap.OPT_X_TLS_CACERTFILE, ca_cert_file)
+ l.start_tls_s()
+
l.simple_bind_s("","")
Attrs = l.search_s(LDAPDn, ldap.SCOPE_ONELEVEL,
"(&(keyfingerprint=*)(gidnumber=%s))" % (cnf["Import-Users-From-Passwd::ValidGID"]),
--
1.7.10.4
Reply to: