#1791

* support TLS connections to the ldap server * better error reporting git-svn-id: https://xpra.org/svn/Xpra/trunk@18834 3bb7dfac-3a0b-4e04-842a-767bc560f471
Xpra-org · Mar 25, 2018 · bfdee42 · bfdee42
1 parent 603dac4
commit bfdee42
Showing 1 changed file with 30 additions and 12 deletions.
diff --git a/src/xpra/server/auth/ldap_auth.py b/src/xpra/server/auth/ldap_auth.py
@@ -26,8 +26,13 @@ def init(opts):
 class Authenticator(SysAuthenticatorBase):
 
     def __init__(self, username, **kwargs):
+        self.tls = bool(int(kwargs.pop("tls", "0")))
         self.host = kwargs.pop("host", "localhost")
-        self.port = int(kwargs.pop("port", "389"))
+        if self.tls:
+            default_port = 636
+        else:
+            default_port = 389
+        self.port = int(kwargs.pop("port", default_port))
         self.username_format = kwargs.pop("username_format", "cn=%username, o=%domain")
         #self.username_format = kwargs.pop("username_format", "%username@%domain")
         SysAuthenticatorBase.__init__(self, username, **kwargs)
@@ -50,9 +55,21 @@ def get_challenge(self, digests):
 
     def check(self, password):
         log("check(%s)", obsc(password))
+        def emsg(e):
+            try:
+                log.error(" LDAP Error: %s", e.message["desc"])
+                if "info" in e.message:
+                    log.error("  %s", e.message["info"])
+            except:
+                #python3: no way to get to the message dict?
+                log.error(" %s", e)
         try:
             assert self.username and password
-            server = "ldap://%s:%i" % (self.host, self.port)
+            if self.tls:
+                protocol = "ldaps"
+            else:
+                protocol = "ldap"
+            server = "%s://%s:%i" % (protocol, self.host, self.port)
             conn = ldap.initialize(server, trace_level=LDAP_TRACE_LEVEL or is_debug_enabled("auth"))
             conn.protocol_version = LDAP_PROTOCOL_VERSION
             conn.set_option(ldap.OPT_REFERRALS, LDAP_REFERRALS)
@@ -69,17 +86,14 @@ def check(self, password):
         except ldap.INVALID_CREDENTIALS:
             log("check(..)", exc_info=True)
             return False
-        except ldap.SERVER_DOWN:
+        except ldap.SERVER_DOWN as e:
             log("check(..)", exc_info=True)
-            log.warn("Warning: LDAP server at %s:%i is unreachable", self.host, self.port)
+            log.warn("Warning: LDAP %sserver at %s:%i is unreachable", ["", "TLS "][self.tls], self.host, self.port)
+            emsg(e)
         except ldap.LDAPError as e:
             log("check(..)", exc_info=True)
             log.error("Error: ldap authentication failed:")
-            try:
-                log.error(" LDAP Error: %s", e.message["desc"])
-            except:
-                #python3: no way to get to the message dict?
-                log.error(" %s", e)
+            emsg(e)
             return False
 
 
@@ -90,17 +104,21 @@ def main(argv):
             if x=="-v" or x=="--verbose":
                 enable_debug_for("auth")
                 argv.remove(x)
-        if len(argv) not in (3,4,5):
+        if len(argv) not in (3,4,5,6,7):
             sys.stderr.write("%s invalid arguments\n" % argv[0])
             sys.stderr.write("usage: %s username password [server]\n" % argv[0])
             return 1
         username = argv[1]
         password = argv[2]
         kwargs = {}
         if len(argv)>=4:
-            kwargs["server"] = argv[3]
+            kwargs["host"] = argv[3]
         if len(argv)>=5:
-            kwargs["username_format"] = argv[4]
+            kwargs["port"] = argv[4]
+        if len(argv)>=6:
+            kwargs["tls"] = argv[5]
+        if len(argv)>=7:
+            kwargs["username_format"] = argv[6]
         a = Authenticator(username, **kwargs)
         server_salt, digest = a.get_challenge(["xor"])
         salt_digest = a.choose_salt_digest(get_digests())