Home Explore Help
Sign In
mirrors
/
Radicale
mirror of https://github.com/Kozea/Radicale
1
0
Fork 0
Files Issues 0 Wiki
Browse Source

LDAP auth: change 'ldap_ssl_verify_mode' to NONE for ldapi://

For ldapi:// connections, which connect - by definition - to a local UNIX
socket, lower the value of config setting 'ldap_ssl_verify_mode' to "NONE"
to avoid certificate validation failures.
The UNIX socket address can NEVER match any DNS name from a certificate,
making the whole certificate validation moot.

This is a workaround for a limitation of Python's LDAP modules, that do not
consider this edge case.
Peter Marschall 5 months ago
parent
bcba53ed8d
commit
f0626a8dde
1 changed files with 3 additions and 0 deletions
Split View Show Diff Stats
  1. 3 0
      radicale/auth/ldap.py

+ 3 - 0
radicale/auth/ldap.py
View File 

@@ -119,6 +119,9 @@ class Auth(auth.BaseAuth):
 
         if self._ldap_uri.lower().startswith("ldaps://") and self._ldap_security not in ("tls", "starttls"):
 
             logger.info("Inferring 'ldap_security' = tls from 'ldap_uri' starting with 'ldaps://'")
 
             self._ldap_security = "tls"
 
+        if self._ldap_uri.lower().startswith("ldapi://") and self._ldap_ssl_verify_mode != "NONE":
 
+            logger.info("Lowering 'ldap_'ldap_ssl_verify_mode' to NONE for 'ldap_uri' starting with 'ldapi://'")
 
+            self._ldap_ssl_verify_mode = "NONE"
 
 
         if self._ldap_ssl_ca_file == "" and self._ldap_ssl_verify_mode != "NONE" and self._ldap_security in ("tls", "starttls"):
 
             logger.warning("Certificate verification not possible: 'ldap_ssl_ca_file' not set")