Commits

Anonymous committed 0c0bfdc

Fix #3: Add StartTLS support via AUTH_LDAP_START_TLS. Thanks to jcmdev0.

Comments (0)

Files changed (4)

django_auth_ldap/backend.py

         
         return cls.ldap
     ldap_module = classmethod(ldap_module)
-        
-    
+
+
     #
     # The Django auth backend API
     #
             
             for opt, value in ldap_settings.AUTH_LDAP_CONNECTION_OPTIONS.iteritems():
                 self._connection.set_option(opt, value)
-        
+
+            if ldap_settings.AUTH_LDAP_START_TLS:
+                logger.debug("Initiating TLS")
+                self._connection.start_tls_s()
+
         return self._connection
 
 
         'AUTH_LDAP_PROFILE_ATTR_MAP': {},
         'AUTH_LDAP_REQUIRE_GROUP': None,
         'AUTH_LDAP_SERVER_URI': 'ldap://localhost',
+        'AUTH_LDAP_START_TLS': False,
         'AUTH_LDAP_USER_ATTR_MAP': {},
         'AUTH_LDAP_USER_DN_TEMPLATE': None,
         'AUTH_LDAP_USER_FLAGS_BY_GROUP': {},

django_auth_ldap/config.py

             class NullHandler(logging.Handler):
                 def emit(self, record):
                     pass
-    
+
             cls.logger = logging.getLogger('django_auth_ldap')
             cls.logger.addHandler(NullHandler())
             cls.logger.setLevel(logging.DEBUG)
         member DNs.
         """
         self.member_attr = member_attr
-        
+
         super(NestedMemberDNGroupType, self).__init__(name_attr)
         
     def user_groups(self, ldap_user, group_search):

django_auth_ldap/tests.py

         self.calls = []
         self.return_value_maps = {}
         self.options = {}
+        self.tls_enabled = False
     
     def set_return_value(self, api_name, arguments, value):
         """
             value = self._search_s(base, scope, filterstr, attrlist, attrsonly)
         
         return value
+
+    def start_tls_s(self):
+        self.tls_enabled = True
     
     def compare_s(self, dn, attr, value):
         self._record_call('compare_s', {
         self.assert_(not bob.is_staff)
         self.assert_(not bob.is_superuser)
 
+    def test_start_tls_missing(self):
+        self._init_settings(
+            AUTH_LDAP_USER_DN_TEMPLATE='uid=%(user)s,ou=people,o=test',
+            AUTH_LDAP_START_TLS=False,
+            )
+
+        self.assert_(not self.mock_ldap.tls_enabled)
+        self.backend.authenticate(username='alice', password='password')
+        self.assert_(not self.mock_ldap.tls_enabled)
+
+    def test_start_tls(self):
+        self._init_settings(
+            AUTH_LDAP_USER_DN_TEMPLATE='uid=%(user)s,ou=people,o=test',
+            AUTH_LDAP_START_TLS=True,
+            )
+
+        self.assert_(not self.mock_ldap.tls_enabled)
+        self.backend.authenticate(username='alice', password='password')
+        self.assert_(self.mock_ldap.tls_enabled)
 
     def _init_settings(self, **kwargs):
         backend.ldap_settings = TestSettings(**kwargs)
 
     AUTH_LDAP_USER_DN_TEMPLATE = "uid=%(user)s,ou=users,dc=example,dc=com"
 
+By default, LDAP connections are unencrypted and make no attempt to protect
+sensitive information, such as passwords. When communicating with an LDAP server
+on localhost or on a local network, this might be fine. If you need a secure
+connection to the LDAP server, you can either use an ``ldaps://`` URL or enable
+the StartTLS extension. The latter is generally the preferred mechanism. To
+enable StartTLS, set :ref:`AUTH_LDAP_START_TLS` to ``True``::
+
+	AUTH_LDAP_START_TLS = True
+
 
 Working with groups
 ===================
 underlying LDAP libraries.
 
 
+.. _AUTH_LDAP_START_TLS:
+
+AUTH_LDAP_START_TLS
+~~~~~~~~~~~~~~~~~~~
+
+Default: ``False``
+
+If ``True``, each connection to the LDAP server will call start_tls to enable
+TLS encryption over the standard LDAP port. There are a number of configuration
+options that can be given to :ref:`AUTH_LDAP_GLOBAL_OPTIONS` that affect the
+TLS connection. For example, ``ldap.OPT_X_TLS_REQUIRE_CERT`` can be set to
+``ldap.OPT_X_TLS_NEVER`` to disable certificate verification, perhaps to allow
+self-signed certificates.
+
+
 .. _AUTH_LDAP_USER_ATTR_MAP:
 
 AUTH_LDAP_USER_ATTR_MAP