Description

The module ldap_python does not set ldap options if they are '0'

Steps to reproduce

Set up the following config:

    from MoinMoin.auth.ldap_login import LDAPAuth
    ldap_authenticator1 = LDAPAuth(
        server_uri='ldaps://ldap.xxxxx.com:636',
        bind_dn = '', # DN we use for first bind (AD)
        bind_pw = '', # password we use for first bind
        base_dn='o=xxxxx.com',  # base DN we use for searching
        scope=2, # scope of the search we do (2 == ldap.SCOPE_SUBTREE)
        search_filter='(uid=%(username)s)',  # ldap filter used for searching:
        givenname_attribute=None, # often 'givenName' - ldap attribute we get the first name from
        surname_attribute=None, # often 'sn' - ldap attribute we get the family name from
        aliasname_attribute=None, # often 'displayName' - ldap attribute we get the aliasname from
        email_attribute=None, # often 'mail' - ldap attribute we get the email address from
        email_callback=None, # callback function called to make up email address
        coding='utf-8', # coding used for ldap queries and result values
        timeout=10, # how long we wait for the ldap server [s]
        start_tls=0, # usage of Transport Layer Security 0 = No, 1 = Try, 2 = Required
        tls_require_cert = 0, # 0 == ldap.OPT_X_TLS_NEVER (needed for self-signed certs)
        bind_once=False, # set to True to only do one bind - useful if configured to bind as the use
    )

the option for 'tls_require_cert = 0' is never set.

i.e.

ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)

Example

None

Component selection

• authorisation

Details

The following error is logged

2008-08-05 07:10:55,899 MoinMoin.auth.ldap_login DEBUG Connected to LDAP server 'ldaps://ldap.hp.c
om:636'.
2008-08-05 07:10:55,938 MoinMoin.auth.ldap_login ERROR LDAP server ldaps://ldap.hp.com:636 failed
({'info': 'error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed', 'de
sc': "Can't contact LDAP server"}). Trying to authenticate with next auth list entry.
2008-08-05 07:10:55,938 MoinMoin.session DEBUG after auth: no valid user, no anon session
2

Looking at the code it seems like the issues lies with the statement { if value:}. If the value of the option to be set is 0 then this will never be true and so will never be executed.

                if hasattr(ldap, 'TLS_AVAIL') and ldap.TLS_AVAIL:
                    for option, value in (
                        (ldap.OPT_X_TLS_CACERTDIR, self.tls_cacertdir),
                        (ldap.OPT_X_TLS_CACERTFILE, self.tls_cacertfile),
                        (ldap.OPT_X_TLS_CERTFILE, self.tls_certfile),
                        (ldap.OPT_X_TLS_KEYFILE, self.tls_keyfile),
                        (ldap.OPT_X_TLS_REQUIRE_CERT, self.tls_require_cert),
                        (ldap.OPT_X_TLS, self.start_tls),
                        #(ldap.OPT_X_TLS_ALLOW, 1),
                    ):
                        if value:
                            ldap.set_option(option, value)
                            logging.debug("Set option %r." % option)

Workaround

Discussion

Plan

• Priority:
• Assigned to:

• Status: fixed by http://hg.moinmo.in/moin/1.7/rev/0ab296a0c099 please test!

CategoryMoinMoinBugFixed