Hi Richard,
The modifications I ended up making to the framework were actually quite
simple. This is web2py 2.5.1 and python 2.7 btw.
In the ldap_auth.py file, I added the following to the ldap_auth function
parameter list: cacert_file=None, cert_file=None, key_file=None. So now the
function header looks like so:
def ldap_auth(server='ldap', port=None,
base_dn='ou=users,dc=domain,dc=com',
mode='uid', secure=False, cacert_path=None, cacert_file=None,
cert_file=None, key_file=None,
bind_dn=None, bind_pw=None, filterstr='objectClass=*',
username_attrib='uid',
custom_scope='subtree',
allowed_groups=None,
manage_user=False,
user_firstname_attrib='cn:1',
user_lastname_attrib='cn:2',
user_mail_attrib='mail',
manage_groups=False,
db=None,
group_dn=None,
group_name_attrib='cn',
group_member_attrib='memberUid',
group_filterstr='objectClass=*',
logging_level='error'):
I repeated this same step for the ldap_auth_aux function so it looks like
this:
def ldap_auth_aux(username,
password,
ldap_server=server,
ldap_port=port,
ldap_basedn=base_dn,
ldap_mode=mode,
ldap_binddn=bind_dn,
ldap_bindpw=bind_pw,
secure=secure,
cacert_path=cacert_path,
cacert_file=cacert_file,
cert_file=cert_file,
key_file=key_file,
filterstr=filterstr,
username_attrib=username_attrib,
custom_scope=custom_scope,
manage_user=manage_user,
user_firstname_attrib=user_firstname_attrib,
user_lastname_attrib=user_lastname_attrib,
user_mail_attrib=user_mail_attrib,
manage_groups=manage_groups,
allowed_groups=allowed_groups,
db=db):
and finally for the init_ldap function:
init_ldap(ldap_server=server,
ldap_port=port,
ldap_basedn=base_dn,
ldap_mode=mode,
secure=secure,
cacert_path=cacert_path,
cacert_file=cacert_file,
cert_file=cert_file,
key_file=key_file):
And within this function I changed the code that was in the if secure
statement like so:
if secure:
if not ldap_port:
ldap_port = 636
if cacert_path:
ldap.set_option(ldap.OPT_X_TLS_CACERTDIR, cacert_path)
if cacert_file:
ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT,
ldap.OPT_X_TLS_NEVER)
ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, cacert_file)
if cert_file:
ldap.set_option(ldap.OPT_X_TLS_CERTFILE, cert_file)
if key_file:
ldap.set_option(ldap.OPT_X_TLS_KEYFILE, key_file)
con = ldap.initialize("ldaps://" + ldap_server + ":" +
str(ldap_port))
Something that I had a bit of an issue and eventually figured out is that
these options need to be set BEFORE the ldap connection is initialized.
Which in the original code, wasn't happening. In the original code, the
connection was initialized and THEN the cert options were set, like so:
if secure:
if not ldap_port:
ldap_port = 636
con = ldap.initialize(
"ldaps://" + ldap_server + ":" + str(ldap_port))
if cert_path:
con.set_option(ldap.OPT_X_TLS_CACERTDIR, cert_path)
if cert_file:
con.set_option(ldap.OPT_X_TLS_CACERTFILE, cert_file)
and this does not work.
Hope this helps someone :)
Thanks,
Maggs
On Friday, December 20, 2013 6:43:35 AM UTC-8, Richard wrote:
>
> Could you show your mods?
>
> It could help to understand the issue you have how we can solve them...
>
> Richard
>
>
> On Thu, Dec 19, 2013 at 7:30 PM, Maggs <[email protected] <javascript:>
> > wrote:
>
>> Yes secure ldap is causing a lot of problems. I hope it gets sorted out
>> eventually. For now I'm having to modify the framework for my needs.
>>
>>
>> On Wednesday, November 27, 2013 7:18:45 AM UTC-8, Richard wrote:
>>
>>> ldap_auth need care, to me it's a draft that need code review, but it
>>> works... I had many issue when I deploy ldap_auth with AD... But I didn't
>>> have time to work further on these issues, we figure it out what was the
>>> bottom of them, but refatoring ldap_auth need time and the most important
>>> tests...
>>>
>>> Richard
>>>
>>>
>>> On Tue, Nov 26, 2013 at 8:12 PM, Maggs <[email protected]> wrote:
>>>
>>>> I am in this situation where my team is in the process of migrating our
>>>> ldap servers to the vpc and as a result I must update my applications to
>>>> use secure ldap. I have unfortunately run into an issue with ldap_auth
>>>> where it will use secure ldap but it only takes a ca cert file, but I need
>>>> to use ca cert, cert and key files all together. This is possible directly
>>>> through python-ldap like so:
>>>>
>>>> con.set_option(ldap.OPT_X_TLS_CACERTFILE, cacert_file)
>>>>> con.set_option(ldap.OPT_X_TLS_CERTFILE, cert_file)
>>>>> con.set_option(ldap.OPT_X_TLS_KEYFILE, key_file)
>>>>
>>>>
>>>> but doesn't appear to be an option at all through the ldap_auth wrapper
>>>> provided through web2py. I am having to modify this code manually to make
>>>> this work. I'm just curious why these 2 other files aren't options and the
>>>> ca cert is the only option?
>>>>
>>>> Thanks
>>>>
>>>> --
>>>> Resources:
>>>> - http://web2py.com
>>>> - http://web2py.com/book (Documentation)
>>>> - http://github.com/web2py/web2py (Source code)
>>>> - https://code.google.com/p/web2py/issues/list (Report Issues)
>>>> ---
>>>> You received this message because you are subscribed to the Google
>>>> Groups "web2py-users" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>> an email to [email protected].
>>>>
>>>> For more options, visit https://groups.google.com/groups/opt_out.
>>>>
>>>
>>> --
>> Resources:
>> - http://web2py.com
>> - http://web2py.com/book (Documentation)
>> - http://github.com/web2py/web2py (Source code)
>> - https://code.google.com/p/web2py/issues/list (Report Issues)
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "web2py-users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected] <javascript:>.
>> For more options, visit https://groups.google.com/groups/opt_out.
>>
>
>
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
