ashb commented on a change in pull request #4006: [AIRFLOW-3164] Verify server
certificate when connecting to LDAP
URL: https://github.com/apache/incubator-airflow/pull/4006#discussion_r230821322
##########
File path: airflow/contrib/auth/backends/ldap_auth.py
##########
@@ -55,16 +55,20 @@ class LdapException(Exception):
def get_ldap_connection(dn=None, password=None):
- tls_configuration = None
- use_ssl = False
+ cacert = None
try:
cacert = configuration.conf.get("ldap", "cacert")
- tls_configuration = Tls(validate=ssl.CERT_REQUIRED,
ca_certs_file=cacert)
- use_ssl = True
- except Exception:
+ except AirflowConfigException:
pass
- server = Server(configuration.conf.get("ldap", "uri"), use_ssl,
tls_configuration)
+ tls_configuration = Tls(validate=ssl.CERT_REQUIRED,
+ version=ssl.PROTOCOL_SSLv23,
Review comment:
I've looked at the code of ldap3 and if we don't specify a version then it
uses `ssl.create_default_context()`, the doc string for which says:
> Return a new SSLContext object with default settings for the given
purpose. The settings are chosen by the ssl module, and usually represent a
higher security level than when calling the SSLContext constructor directly.
So we should not specify any version.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
With regards,
Apache Git Services
