changeset bcc67f47e13c in modules/ldap_authentication:5.0
details:
https://hg.tryton.org/modules/ldap_authentication?cmd=changeset&node=bcc67f47e13c
description:
Enforce certificate validation for LDAP connection
issue11564
review417381003
(grafted from 366cca2d391e3fda2e038b34a032f4acf0efdce5)
diffstat:
CHANGELOG | 2 ++
res.py | 5 ++++-
2 files changed, 6 insertions(+), 1 deletions(-)
diffs (34 lines):
diff -r ec8ba81a54f4 -r bcc67f47e13c CHANGELOG
--- a/CHANGELOG Thu Jun 17 21:56:46 2021 +0200
+++ b/CHANGELOG Tue Jun 21 10:17:02 2022 +0200
@@ -1,3 +1,5 @@
+* Enforce certificate validation for LDAP connection (issue11564)
+
Version 5.0.4 - 2021-06-17
* Bug fixes (see mercurial logs for details)
diff -r ec8ba81a54f4 -r bcc67f47e13c res.py
--- a/res.py Thu Jun 17 21:56:46 2021 +0200
+++ b/res.py Tue Jun 21 10:17:02 2022 +0200
@@ -1,6 +1,7 @@
# This file is part of Tryton. The COPYRIGHT file at the top level of
# this repository contains the full copyright notices and license terms.
import logging
+import ssl
import urllib.parse
import ldap3
@@ -42,10 +43,12 @@
uri, _, _, _, _, extensions = parse_ldap_url(uri)
if uri.scheme.startswith('ldaps'):
scheme, port = 'ldaps', 636
+ tls = ldap3.Tls(validate=ssl.CERT_REQUIRED)
else:
scheme, port = 'ldap', 389
+ tls = None
return ldap3.Server('%s://%s:%s' % (
- scheme, uri.hostname, uri.port or port))
+ scheme, uri.hostname, uri.port or port), tls=tls)
class User(metaclass=PoolMeta):
