[dak/master] Re-enable TLS for LDAP
CACERTFILE now must point to a CA, using service certificates directly
doesn't work.
Also use per-connection settings for TLS. Note that the order of
set_option calls matters (setting ldap.OPT_X_TLS_NEWCTX first
fails)...
---
config/debian-security/dak.conf | 2 +-
config/debian/dak.conf | 2 +-
daklib/dbconn.py | 12 +++---------
3 files changed, 5 insertions(+), 11 deletions(-)
diff --git a/config/debian-security/dak.conf b/config/debian-security/dak.conf
index 42aa1e4..901f9ac 100644
--- a/config/debian-security/dak.conf
+++ b/config/debian-security/dak.conf
@@ -56,7 +56,7 @@ Import-LDAP-Fingerprints
{
LDAPDn "ou=users,dc=debian,dc=org";
LDAPServer "db.debian.org";
- // CACertFile "/etc/ssl/certs/db.debian.org.pem";
+ CACertFile "/etc/ssl/ca-debian/ca-certificates.crt";
ExtraKeyrings
{
"/srv/keyring.debian.org/keyrings/removed-keys.pgp";
diff --git a/config/debian/dak.conf b/config/debian/dak.conf
index 8a18937..cf0ef40 100644
--- a/config/debian/dak.conf
+++ b/config/debian/dak.conf
@@ -99,7 +99,7 @@ Import-LDAP-Fingerprints
{
LDAPDn "ou=users,dc=debian,dc=org";
LDAPServer "db.debian.org";
- // CACertFile "/etc/ssl/certs/db.debian.org.pem";
+ CACertFile "/etc/ssl/ca-debian/ca-certificates.crt";
ExtraKeyrings
{
"/srv/keyring.debian.org/keyrings/removed-keys.pgp";
diff --git a/daklib/dbconn.py b/daklib/dbconn.py
index 3fab31b..432ddf8 100644
--- a/daklib/dbconn.py
+++ b/daklib/dbconn.py
@@ -1232,15 +1232,9 @@ class Keyring(object):
l = ldap.open(LDAPServer)
if ca_cert_file:
- # TODO: This should request a new context and use
- # connection-specific options (i.e. "l.set_option(...)")
-
- # Request a new TLS context. If there was already one, libldap
- # would not change the TLS options (like which CAs to trust).
- #l.set_option(ldap.OPT_X_TLS_NEWCTX, True)
- ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_HARD)
- #ldap.set_option(ldap.OPT_X_TLS_CACERTDIR, None)
- ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, ca_cert_file)
+ l.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_HARD)
+ l.set_option(ldap.OPT_X_TLS_CACERTFILE, ca_cert_file)
+ l.set_option(ldap.OPT_X_TLS_NEWCTX, True)
l.start_tls_s()
l.simple_bind_s("","")
--
2.1.4
Reply to: