Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add TLS support for ldap_user_search #529

Merged
merged 3 commits into from
Jul 21, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 8 additions & 3 deletions coldfront/config/plugins/ldap_user_search.py
Original file line number Diff line number Diff line change
Expand Up @@ -12,8 +12,13 @@

LDAP_USER_SEARCH_SERVER_URI = ENV.str('LDAP_USER_SEARCH_SERVER_URI')
LDAP_USER_SEARCH_BASE = ENV.str('LDAP_USER_SEARCH_BASE')
LDAP_USER_SEARCH_BIND_DN = ENV.str('LDAP_USER_SEARCH_BIND_DN')
LDAP_USER_SEARCH_BIND_PASSWORD = ENV.str('LDAP_USER_SEARCH_BIND_PASSWORD')
LDAP_USER_SEARCH_BIND_DN = ENV.str('LDAP_USER_SEARCH_BIND_DN', default=None)
LDAP_USER_SEARCH_BIND_PASSWORD = ENV.str('LDAP_USER_SEARCH_BIND_PASSWORD', default=None)
LDAP_USER_SEARCH_CONNECT_TIMEOUT = ENV.float('LDAP_USER_SEARCH_CONNECT_TIMEOUT', default=2.5)
LDAP_USER_SEARCH_USE_SSL = ENV.bool('LDAP_USER_SEARCH_USE_SSL', default=True)
ADDITIONAL_USER_SEARCH_CLASSES = ['coldfront.plugins.ldap_user_search.utils.LDAPUserSearch',]
LDAP_USER_SEARCH_USE_TLS = ENV.bool('LDAP_USER_SEARCH_USE_TLS', default=False)
LDAP_USER_SEARCH_PRIV_KEY_FILE = ENV.str("LDAP_USER_SEARCH_PRIV_KEY_FILE", default=None)
LDAP_USER_SEARCH_CERT_FILE = ENV.str("LDAP_USER_SEARCH_CERT_FILE", default=None)
LDAP_USER_SEARCH_CACERT_FILE = ENV.str("LDAP_USER_SEARCH_CACERT_FILE", default=None)

ADDITIONAL_USER_SEARCH_CLASSES = ['coldfront.plugins.ldap_user_search.utils.LDAPUserSearch']
19 changes: 14 additions & 5 deletions coldfront/plugins/ldap_user_search/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -11,18 +11,27 @@ search.py code in the FreeIPA plugin.

ColdFront provides an API to define additional user search classes for
extending the default search functionality. This app implements a
LDAPUserSearch class in utils.py which performs the LDAP search. This class is
then registered with ColdFront by setting "ADDITIONAL\_USER\_SEARCH\_CLASSES"
in local\_settings.py.
LDAPUserSearch class in `utils.py` which performs the LDAP search. This class is
then registered with ColdFront by setting `ADDITIONAL_USER_SEARCH_CLASSES`
in `config/plugins/ldap_user_search.py`

## Requirements

- pip install python-ldap ldap3

## Usage

To enable this plugin add the following in your `local_settings.py` file:
To enable this plugin set the following environment variables:

```
ADDITIONAL_USER_SEARCH_CLASSES = ['coldfront.plugins.ldap_user_search.utils.LDAPUserSearch',]
PLUGIN_LDAP_USER_SEARCH=True
LDAP_USER_SEEACH_SERVER_URI=ldap://example.com
LDAP_USER_SEARCH_BASE="dc=example,dc=com"
LDAP_USER_SEARCH_BIND_DN="cn=Manager,dc=example,dc=com"
LDAP_USER_SEARCH_BASE="dc=example,dc=com"
LDAP_USER_SEARCH_USE_SSL=True
LDAP_USER_SEARCH_USE_TLS=True
LDAP_USER_SEARCH_CACERT_FILE=/path/to/cacert
LDAP_USER_SEARCH_CERT_FILE=/path/to/cert
LDAP_USER_SEARCH_PRIV_KEY_FILE=/path/to/key
```
17 changes: 15 additions & 2 deletions coldfront/plugins/ldap_user_search/utils.py
Original file line number Diff line number Diff line change
Expand Up @@ -4,10 +4,11 @@
import ldap.filter
from coldfront.core.user.utils import UserSearch
from coldfront.core.utils.common import import_from_settings
from ldap3 import Connection, Server
from ldap3 import Connection, Server, Tls

logger = logging.getLogger(__name__)


class LDAPUserSearch(UserSearch):
search_source = 'LDAP'

Expand All @@ -19,8 +20,20 @@ def __init__(self, user_search_string, search_by):
self.LDAP_BIND_PASSWORD = import_from_settings('LDAP_USER_SEARCH_BIND_PASSWORD', None)
self.LDAP_CONNECT_TIMEOUT = import_from_settings('LDAP_USER_SEARCH_CONNECT_TIMEOUT', 2.5)
self.LDAP_USE_SSL = import_from_settings('LDAP_USER_SEARCH_USE_SSL', True)
self.LDAP_USE_TLS = import_from_settings("LDAP_USER_SEARCH_USE_TLS", False)
self.LDAP_PRIV_KEY_FILE = import_from_settings('LDAP_USER_SEARCH_PRIV_KEY_FILE', None)
self.LDAP_CERT_FILE = import_from_settings('LDAP_USER_SEARCH_CERT_FILE', None)
self.LDAP_CACERT_FILE = import_from_settings('LDAP_USER_SEARCH_CACERT_FILE', None)

tls = None
if self.LDAP_USE_TLS:
tls = Tls(
local_private_key_file=self.LDAP_PRIV_KEY_FILE,
local_certificate_file=self.LDAP_CERT_FILE,
ca_certs_file=self.LDAP_CACERT_FILE,
)

self.server = Server(self.LDAP_SERVER_URI, use_ssl=self.LDAP_USE_SSL, connect_timeout=self.LDAP_CONNECT_TIMEOUT)
self.server = Server(self.LDAP_SERVER_URI, use_ssl=self.LDAP_USE_SSL, connect_timeout=self.LDAP_CONNECT_TIMEOUT, tls=tls)
self.conn = Connection(self.server, self.LDAP_BIND_DN, self.LDAP_BIND_PASSWORD, auto_bind=True)

def parse_ldap_entry(self, entry):
Expand Down
4 changes: 4 additions & 0 deletions docs/pages/config.md
Original file line number Diff line number Diff line change
Expand Up @@ -253,6 +253,10 @@ exist in your backend LDAP to show up in the ColdFront user search.
| LDAP_USER_SEARCH_BASE | User search base dn |
| LDAP_USER_SEARCH_CONNECT_TIMEOUT | Time in seconds to wait before timing out. Default 2.5 |
| LDAP_USER_SEARCH_USE_SSL | Whether to use ssl when connecting to LDAP server. Default True |
| LDAP_USER_SEARCH_USE_TLS | Whether to use tls when connecting to LDAP server. Default False |
| LDAP_USER_SEARCH_PRIV_KEY_FILE | Path to the private key file. |
| LDAP_USER_SEARCH_CERT_FILE | Path to the certificate file. |
| LDAP_USER_SEARCH_CACERT_FILE | Path to the CA cert file. |

## Advanced Configuration

Expand Down