Initial TLS/SSL support.

Initial TLS/SSL support
sjkingo · Apr 5, 2016 · 37244a6 · 37244a6
1 parent c09a860
commit 37244a6
Show file tree

Hide file tree

Showing 6 changed files with 57 additions and 2 deletions.
diff --git a/AUTHORS.md b/AUTHORS.md
@@ -4,3 +4,4 @@
 * @gianlo
 * Ryan Massoth (@rmassoth)
 * Alan D Moore (@alandmoore)
+* Eduardo Castellanos (@_wayo)
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,8 @@
 Changelog
 =========
+### 0.9.5 - 2016-03-30
+
+* New feature `AUTH_LDAP_TLS` allows LDAP connections to be established over TLS (@_wayo)
 
 ### 0.9.4 - 2016-01-21
 

diff --git a/README.md b/README.md
@@ -242,3 +242,30 @@ Default: `None`
 *Optional.* String to suffix the username before binding. This is used for `user@domain` principals.
 
 You must set `AUTH_LDAP_BIND_TEMPLATE` to `None` when using this option.
+
+*Added in version 0.9.5*
+
+#### `AUTH_LDAP_TLS`
+
+*Optional.* Flag to enable LDAP over TLS. Further options can be configured through `AUTH_LDAP_TLS_CA_CERTS`,
+`AUTH_LDAP_TLS_VALIDATE`, `AUTH_LDAP_TLS_PRIVATE_KEY`, and `AUTH_LDAP_TLS_LOCAL_CERT`.
+
+Default: `False`
+
+#### `AUTH_LDAP_TLS_CA_CERTS`
+*Optional.* String to the location of the file containing the certificates of the certification authorities.
+
+It's checked only if `AUTH_LDAP_TLS_VALIDATE` is set to `True`.
+
+Default: It will use the system wide certificate store.
+
+#### `AUTH_LDAP_TLS_VALIDATE`
+*Optional.* Specifies if the server certificate must be validated.
+
+Default: `True`
+
+#### `AUTH_LDAP_TLS_PRIVATE_KEY`
+*Optional.* Specifies the location for the file with the private key of the client.
+
+#### `AUTH_LDAP_TLS_LOCAL_CERT`
+*Optional.* Specifies the location for the file with the certificate of the server.
diff --git a/django_auth_ldap3/__init__.py b/django_auth_ldap3/__init__.py
@@ -1 +1 @@
-__version__ = '0.9.4'
+__version__ = '0.9.5'
diff --git a/django_auth_ldap3/backends.py b/django_auth_ldap3/backends.py
@@ -6,6 +6,7 @@
 import hashlib
 import ldap3
 import logging
+import ssl
 
 User = get_user_model()
 
@@ -47,7 +48,25 @@ class LDAPBackend(object):
     backend = None
 
     def __init__(self):
-        self.backend = ldap3.Server(settings.URI)
+        tls_config = None
+
+        if settings.TLS:
+            tls_opts = {
+                'validate': ssl.CERT_REQUIRED if settings.TLS_VALIDATE else ssl.CERT_NONE
+            }
+
+            if settings.TLS_CA_CERTS:
+                tls_opts['ca_certs_file'] = settings.TLS_CA_CERTS
+
+            if settings.TLS_PRIVATE_KEY:
+                tls_opts['local_private_key_file'] = settings.TLS_PRIVATE_KEY
+
+            if settings.TLS_LOCAL_CERT:
+                tls_opts['local_certificate_file'] = settings.TLS_LOCAL_CERT
+
+            tls_config = ldap3.Tls(**tls_opts)
+
+        self.backend = ldap3.Server(settings.URI, use_ssl=settings.TLS, tls=tls_config)
 
     def __del__(self):
         # TODO: disconnect?

diff --git a/django_auth_ldap3/conf.py b/django_auth_ldap3/conf.py
@@ -20,6 +20,11 @@ class LDAPSettings(object):
         'USERNAME_PREFIX': None,
         'USERNAME_SUFFIX': None,
         'URI': 'ldap://localhost',
+        'TLS': False,
+        'TLS_CA_CERTS': None,
+        'TLS_VALIDATE': True,
+        'TLS_PRIVATE_KEY': None,
+        'TLS_LOCAL_CERT': None,
     }
 
     def __init__(self):