]> err.no Git - dak/commitdiff
Add option to specify CAs to trust for LDAP connection over TLS
authorAnsgar Burchardt <ansgar@debian.org>
Sun, 21 Jul 2013 19:59:45 +0000 (21:59 +0200)
committerAnsgar Burchardt <ansgar@debian.org>
Sun, 21 Jul 2013 20:03:05 +0000 (22:03 +0200)
An explicit option makes us not rely on ldap.conf to be setup correctly
for dak's use of LDAP.

config/debian-security/dak.conf
config/debian/dak.conf
daklib/dbconn.py

index f6459d5c62a96f7011d1a70af0b0902dce8ea520..b1f8c4b8acf1936aaa8b8d45ec7b3f4ed7bc8670 100644 (file)
@@ -56,6 +56,7 @@ Import-LDAP-Fingerprints
 {
   LDAPDn "ou=users,dc=debian,dc=org";
   LDAPServer "db.debian.org";
+  CACertFile "/etc/ssl/certs/spi-cacert-2008.pem";
   ExtraKeyrings
   {
     "/srv/keyring.debian.org/keyrings/removed-keys.pgp";
index c06cd67478ca82f425fefbccf8df7216e62c433d..2954c595bfdee407ee0b51b1830b6ff273167c2b 100644 (file)
@@ -97,6 +97,7 @@ Import-LDAP-Fingerprints
 {
   LDAPDn "ou=users,dc=debian,dc=org";
   LDAPServer "db.debian.org";
+  CACertFile "/etc/ssl/certs/spi-cacert-2008.pem";
   ExtraKeyrings
   {
     "/srv/keyring.debian.org/keyrings/removed-keys.pgp";
index 413a0fdd1fcf5fc33a96c969f850bf17d9fdf1d7..a90ad10229d052ad83a6f870de5b3e32bc751db9 100644 (file)
@@ -1250,8 +1250,19 @@ class Keyring(object):
 
         LDAPDn = cnf["Import-LDAP-Fingerprints::LDAPDn"]
         LDAPServer = cnf["Import-LDAP-Fingerprints::LDAPServer"]
+        ca_cert_file = cnf.get('Import-LDAP-Fingerprints::CACertFile')
 
         l = ldap.open(LDAPServer)
+
+        if ca_cert_file:
+            # Request a new TLS context. If there was already one, libldap
+            # would not change the TLS options (like which CAs to trust).
+            l.set_option(ldap.OPT_X_TLS_NEWCTX, True)
+            l.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_HARD)
+            l.set_option(ldap.OPT_X_TLS_CACERTDIR, None)
+            l.set_option(ldap.OPT_X_TLS_CACERTFILE, ca_cert_file)
+            l.start_tls_s()
+
         l.simple_bind_s("","")
         Attrs = l.search_s(LDAPDn, ldap.SCOPE_ONELEVEL,
                "(&(keyfingerprint=*)(gidnumber=%s))" % (cnf["Import-Users-From-Passwd::ValidGID"]),