Ticket #133 (assigned enhancement)

Opened 3 years ago

Last modified 2 years ago

tls / ldaps support for ldap plugin

Reported by: bkw@weisshuhn.de Assigned to: eblot (accepted)
Priority: normal Component: LdapPlugin
Severity: normal Keywords:
Cc: Trac Release: 0.10

Description

It would be great to have tls or at least ldaps support for the ldap connection. More and more servers only allow ldaps or tls these days. Python-ldap seem to support both.

Attachments

ldapplugin_tls.patch (1.7 kB) - added by tiziano.mueller@neuronics.ch on 09/08/06 17:10:18.
Patch (against revision 1254) of the ldap-plugin to add TLS support.
ldapplugin_tls.2.patch (2.4 kB) - added by tizianomueller on 09/08/06 17:19:24.
Improved version. SSL works now too.
ldapplugin_tls.3.patch (3.0 kB) - added by tizianomueller on 09/13/06 05:08:16.
This changes the call to TracError? to include the 'info' part from the exception. Helps a lot to find the reason of connection failures.
ldapplugin_tls_and_groupmember_fulldn.patch (3.6 kB) - added by tizianomueller on 09/20/06 05:33:44.
The new patch.

Change History

03/10/06 18:48:29 changed by eblot

I agree, however I never set up a LDAPS server yet (I use a ssh tunnel).

Need to investigate. If you have some proposal, please let me know.

09/08/06 17:10:18 changed by tiziano.mueller@neuronics.ch

  • attachment ldapplugin_tls.patch added.

Patch (against revision 1254) of the ldap-plugin to add TLS support.

09/08/06 17:19:24 changed by tizianomueller

  • attachment ldapplugin_tls.2.patch added.

Improved version. SSL works now too.

09/08/06 17:26:39 changed by tizianomueller

  • release set to 0.8.

In the second patch I've removed the host and port variables and replaced them with the uri. It would probably make sense to add the following as well: 

            self._ds.x_tls_demand = True
            self._ds.x_tls_require_cert = True

If you now want to use SSL, set uri = ldaps://<YOURHOST> (if the port is not specified, the standard port will be used). If you want TLS instead, set uri = ldap://<YOURHOST> and start_tls = yes.

09/08/06 17:57:22 changed by eblot

  • release changed from 0.8 to 0.10.
  • status changed from new to assigned.

Not sure why the Trac release has been set to 0.8, but it is very unlikely the plugin may work with such an outdated release of Trac.

09/13/06 05:08:16 changed by tizianomueller

  • attachment ldapplugin_tls.3.patch added.

This changes the call to TracError? to include the 'info' part from the exception. Helps a lot to find the reason of connection failures.

09/20/06 05:32:57 changed by anonymous

Ok, there's a bug in the patch. That "self._ds.x_tls..." stuff doesn't work. But it seems that when you use Apache+mod_python+mod_authz_ldap, all LDAP parameters are taken from the Apache configuration. Since I switched to mod_fcgid, I couldn't connect anymore because the client-certificates weren't loaded. This patch might break the whole thing on Apache again, since it sets the certs, etc. to empty values if they are not specified. Conditionally setting them would be the solution.

09/20/06 05:33:44 changed by tizianomueller

  • attachment ldapplugin_tls_and_groupmember_fulldn.patch added.

The new patch.

10/22/06 08:58:09 changed by eblot

New version of the LdapPlugin (0.5.0) w/ basic TLS connection: [1426]

The patch has not been merged in the plugin, there are a couple of issues to fix; for example, it is not valid to hardcode a path that is OS-specific (such as '/etc/ssl').

05/16/07 06:28:53 changed by gwarf

It's seems that usually a TLS connection is an LDAP start_tls extented request done one the standard port (389) and using the standard ldap protocol (ldap://).

The ldaps:// protocols seems to be reserved for LDAP over SSL on port 636, whithout TLS and start_tls request and it seems to be deprecated. See http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html#1.0 or http://www.openldap.org/faq/data/cache/185.html for some more information.

With the actual state of the extension, it's impossible to connect to a LDAP server requesting a TLS operation and listening only to the standard port/protocol (ie, ldap:// and 389 port and not ldaps:// and 636 port). If you don't want to default to ldap:// protocol when using TLS, if in the trac.ini we could put the host address in the form ldap://hostname or ldaps://hostname it could allow us to easily select what protocol we want.

Add/Change #133 (tls / ldaps support for ldap plugin)




Change Properties
Action