--- a/cubicweb/server/sources/ldapfeed.py Tue Feb 25 23:30:32 2020 +0100
+++ b/cubicweb/server/sources/ldapfeed.py Tue Feb 25 23:31:30 2020 +0100
@@ -112,6 +112,13 @@
'help': 'additional filters to be set in the ldap query to find valid users',
'group': 'ldap-source', 'level': 2,
}),
+ ('start-tls',
+ {'type': 'choice',
+ 'choices': ('true', 'false'),
+ 'default': 'false',
+ 'help': 'Start tls on connection (before bind)',
+ 'group': 'ldap-source', 'level': 1,
+ }),
('user-login-attr',
{'type': 'string',
'default': 'uid',
@@ -191,6 +198,7 @@
self._authenticate = getattr(self, '_auth_%s' % self.authmode)
self.cnx_dn = typedconfig['data-cnx-dn']
self.cnx_pwd = typedconfig['data-cnx-password']
+ self.start_tls = typedconfig['start-tls'] == "true"
self.user_base_dn = str(typedconfig['user-base-dn'])
self.user_base_scope = LDAP_SCOPES[typedconfig['user-scope']]
self.user_login_attr = typedconfig['user-login-attr']
@@ -279,6 +287,8 @@
server, client_strategy=ldap3.RESTARTABLE, auto_referrals=False,
raise_exceptions=True,
**kwargs)
+ if self.start_tls:
+ conn.start_tls()
# Now bind with the credentials given. Let exceptions propagate out.
if user is None:
@@ -320,6 +330,9 @@
if self._conn is None:
self._conn = self._connect()
ldapcnx = self._conn
+ if self.start_tls:
+ ldapcnx.start_tls()
+ self.info("ldap start_tls started for %s", self.uri)
if not ldapcnx.search(base, searchstr, search_scope=scope, attributes=set(attrs) - {'dn'}):
return []
result = []