Switch to install custom LDAP cert by name
This commit is contained in:
Joseph Schorr
parent
f36442aa0d
commit
66ec1d81ce
4 changed files with 24 additions and 32 deletions
|
|
@ -4,6 +4,7 @@ import peewee
|
|||
import OpenSSL
|
||||
import logging
|
||||
import time
|
||||
import subprocess
|
||||
|
||||
from StringIO import StringIO
|
||||
from fnmatch import fnmatch
|
||||
|
|
@ -313,6 +314,10 @@ def _validate_ldap(config, password):
|
|||
if config.get('AUTHENTICATION_TYPE', 'Database') != 'LDAP':
|
||||
return
|
||||
|
||||
# If there is a custom LDAP certificate, then reinstall the certificates for the container.
|
||||
if config_provider.volume_file_exists(LDAP_CERT_FILENAME):
|
||||
subprocess.check_call(['/conf/init/install_custom_certs.sh'])
|
||||
|
||||
# Note: raises ldap.INVALID_CREDENTIALS on failure
|
||||
admin_dn = config.get('LDAP_ADMIN_DN')
|
||||
admin_passwd = config.get('LDAP_ADMIN_PASSWD')
|
||||
|
|
@ -327,15 +332,10 @@ def _validate_ldap(config, password):
|
|||
if not ldap_uri.startswith('ldap://') and not ldap_uri.startswith('ldaps://'):
|
||||
raise Exception('LDAP URI must start with ldap:// or ldaps://')
|
||||
|
||||
tls_cert_path = None
|
||||
if config_provider.volume_file_exists(LDAP_CERT_FILENAME):
|
||||
with config_provider.get_volume_file(LDAP_CERT_FILENAME) as f:
|
||||
tls_cert_path = f.name
|
||||
|
||||
allow_tls_fallback = config.get('LDAP_ALLOW_INSECURE_FALLBACK', False)
|
||||
|
||||
try:
|
||||
with LDAPConnection(ldap_uri, admin_dn, admin_passwd, tls_cert_path, allow_tls_fallback):
|
||||
with LDAPConnection(ldap_uri, admin_dn, admin_passwd, allow_tls_fallback):
|
||||
pass
|
||||
except ldap.LDAPError as ex:
|
||||
values = ex.args[0] if ex.args else {}
|
||||
|
|
@ -351,7 +351,7 @@ def _validate_ldap(config, password):
|
|||
email_attr = config.get('LDAP_EMAIL_ATTR', 'mail')
|
||||
|
||||
users = LDAPUsers(ldap_uri, base_dn, admin_dn, admin_passwd, user_rdn, uid_attr, email_attr,
|
||||
tls_cert_path, allow_tls_fallback)
|
||||
allow_tls_fallback)
|
||||
|
||||
username = get_authenticated_user().username
|
||||
(result, err_msg) = users.verify_credentials(username, password)
|
||||
|
|
@ -432,7 +432,7 @@ def _validate_signer(config, _):
|
|||
if config['SIGNING_ENGINE'] not in SIGNING_ENGINES:
|
||||
raise Exception('Unknown signing engine: %s' % config['SIGNING_ENGINE'])
|
||||
|
||||
engine = SIGNING_ENGINES[config['SIGNING_ENGINE']](config, OVERRIDE_CONFIG_DIRECTORY)
|
||||
engine = SIGNING_ENGINES[config['SIGNING_ENGINE']](config, config_provider)
|
||||
engine.detached_sign(StringIO('test string'))
|
||||
|
||||
|
||||
|
|
|
|||
Reference in a new issue