Add additional options for LDAP

Fixes #1420

data/users/__init__.py

@@ -27,16 +27,18 @@ def get_federated_service_name(authentication_type):
   raise Exception('Unknown auth type: %s' % authentication_type)
 
 
+LDAP_CERT_FILENAME = 'ldap.crt'
+
 class UserAuthentication(object):
-  def __init__(self, app=None, override_config_dir=None):
+  def __init__(self, app=None, config_provider=None, override_config_dir=None):
     self.app_secret_key = None
     self.app = app
     if app is not None:
-      self.state = self.init_app(app, override_config_dir)
+      self.state = self.init_app(app, config_provider, override_config_dir)
     else:
       self.state = None
 
-  def init_app(self, app, override_config_dir):
+  def init_app(self, app, config_provider, override_config_dir):
     self.app_secret_key = app.config['SECRET_KEY']
 
     authentication_type = app.config.get('AUTHENTICATION_TYPE', 'Database')
@@ -52,7 +54,15 @@ class UserAuthentication(object):
       uid_attr = app.config.get('LDAP_UID_ATTR', 'uid')
       email_attr = app.config.get('LDAP_EMAIL_ATTR', 'mail')
 
-      users = LDAPUsers(ldap_uri, base_dn, admin_dn, admin_passwd, user_rdn, uid_attr, email_attr)
+      allow_tls_fallback = app.config.get('LDAP_ALLOW_INSECURE_FALLBACK', False)
+      tls_cert_path = None
+      if config_provider.volume_file_exists(LDAP_CERT_FILENAME):
+        with config_provider.get_volume_file(LDAP_CERT_FILENAME) as f:
+          tls_cert_path = f.name
+
+      users = LDAPUsers(ldap_uri, base_dn, admin_dn, admin_passwd, user_rdn, uid_attr, email_attr,
+                        tls_cert_path, allow_tls_fallback)
+
     elif authentication_type == 'JWT':
       verify_url = app.config.get('JWT_VERIFY_ENDPOINT')
       issuer = app.config.get('JWT_AUTH_ISSUER')