Details
-
Type: Bug
-
Status: Resolved
-
Priority: Major
-
Resolution: Fixed
-
Affects Version/s: 4.1.0
-
Fix Version/s: 4.3.0
-
Component/s: core.users
-
Labels:None
-
Target Version:
Description
Even though admin handn't set ldap_cert (it was null), authentication via ldap would work, but they ldap synchronization would fail.
It seems we fixed the certificate validation logic in auth/backend.py, but we did not do so in useradmin/ldap_access.py.
The following uses an insecure option "ALLOW" which allows TLS even if a certificate is invalid.
Also, the real bug here is that it assumes that the default does not require validation.
if cert_file is not None: ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_ALLOW) ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, cert_file)