Skip to content

Commit afd80fd

Browse files
committed
Check and warn if OPT_X_TLS_NEWCTX is required
See #55 Signed-off-by: Christian Heimes <cheimes@redhat.com>
1 parent 084ffe0 commit afd80fd

File tree

10 files changed

+265
-40
lines changed

10 files changed

+265
-40
lines changed

Doc/reference/ldap.rst

Lines changed: 139 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -84,7 +84,13 @@ This module defines the following functions:
8484
.. py:function:: set_option(option, invalue) -> None
8585
8686
This function sets the value of the global option specified by *option* to
87-
*invalue*.
87+
*invalue*. Any change to global settings
88+
89+
.. note::
90+
91+
Most global settings do not affect existing :py:class:`LDAPObject`
92+
connections. Applications should call :py:func:`set_option()` before
93+
they establish connections with :py:func:`initialize`.
8894

8995

9096
.. _ldap-constants:
@@ -124,10 +130,10 @@ Options
124130

125131
:manpage:`ldap.conf(5)` and :manpage:`ldap_get_option(3)`
126132

127-
128-
For use with functions :py:func:set_option() and :py:func:get_option()
129-
and methods :py:method:LDAPObject.set_option() and :py:method:LDAPObject.get_option() the
130-
following option identifiers are defined as constants:
133+
For use with functions :py:func:`set_option()` and :py:func:`get_option()`
134+
and methods :py:meth:`LDAPObject.set_option()` and
135+
:py:meth:`LDAPObject.get_option()` the following option identifiers
136+
are defined as constants:
131137

132138
.. py:data:: OPT_API_FEATURE_INFO
133139
@@ -220,34 +226,162 @@ SASL options
220226
TLS options
221227
:::::::::::
222228

229+
.. warning::
230+
libldap does not materialize all TLS settings immediately, with the
231+
exception of :py:const:`OPT_X_TLS`. You must use
232+
:py:const:`OPT_X_TLS_NEWCTX` to instruct libldap to apply pending TLS
233+
settings and create a new internal TLS context::
234+
235+
conn = ldap.initialize(ldap_uri)
236+
conn.set_option(ldap.OPT_X_TLS_CACERTFILE, '/path/to/ca.pem')
237+
conn.set_option(ldap.OPT_X_TLS_NEWCTX, 0)
238+
conn.start_tls_s()
239+
conn.simple_bind_s(dn, password)
240+
223241
.. py:data:: OPT_X_TLS
224242
243+
TLS enforcement mode, perform STARTTLS for plain LDAP connections. The
244+
setting has no affect when the LDAP connection is already established.
245+
246+
:py:const:`OPT_X_TLS_NEVER`
247+
Don't enforce TLS (default)
248+
249+
:py:const:`OPT_X_TLS_HARD`
250+
Enforce TLS. libldap will automatically perform STARTTLS for plain
251+
LDAP connections.
252+
253+
.. py:data:: OPT_X_TLS_ALL
254+
255+
Value for :py:const:`OPT_X_TLS_CRLCHECK`
256+
225257
.. py:data:: OPT_X_TLS_ALLOW
226258
259+
Value for :py:const:`OPT_X_TLS_REQUIRE_CERT`
260+
227261
.. py:data:: OPT_X_TLS_CACERTDIR
228262
263+
get/set path to directory with CA certs
264+
229265
.. py:data:: OPT_X_TLS_CACERTFILE
230266
267+
get/set path to PEM file with CA certs
268+
231269
.. py:data:: OPT_X_TLS_CERTFILE
232270
271+
get/set path to file with PEM encoded cert for client cert authentication,
272+
requires :py:const:`OPT_X_TLS_KEYFILE`.
273+
274+
.. py:data:: OPT_X_TLS_CIPHER
275+
276+
get cipher suite name from TLS session
277+
233278
.. py:data:: OPT_X_TLS_CIPHER_SUITE
234279
280+
get/set allowed cipher suites
281+
282+
.. py:data:: OPT_X_TLS_CRLCHECK
283+
284+
get/set CRL check mode. CRL validation needs :py:const:`OPT_X_TLS_CRLFILE`
285+
286+
:py:const:`OPT_X_TLS_NONE`
287+
Don't perform CRL checks
288+
289+
:py:const:`OPT_X_TLS_PEER`
290+
Perform CRL check for peer's end entity cert.
291+
292+
:py:const:`OPT_X_TLS_ALL`
293+
Perform CRL checks for the whole cert chain
294+
295+
.. py:data:: OPT_X_TLS_CRLFILE
296+
297+
get/set path to CRL file
298+
235299
.. py:data:: OPT_X_TLS_CTX
236300
301+
get address of internal memory address of TLS context (**DO NOT USE**)
302+
237303
.. py:data:: OPT_X_TLS_DEMAND
238304
305+
Value for :py:const:`OPT_X_TLS_REQUIRE_CERT`
306+
239307
.. py:data:: OPT_X_TLS_HARD
240308
309+
Value for :py:const:`OPT_X_TLS` and :py:const:`OPT_X_TLS_REQUIRE_CERT`
310+
241311
.. py:data:: OPT_X_TLS_KEYFILE
242312
313+
get/set path to file with PEM encoded key for client cert authentication,
314+
requires :py:const:`OPT_X_TLS_CERTFILE`.
315+
243316
.. py:data:: OPT_X_TLS_NEVER
244317
318+
Value for :py:const:`OPT_X_TLS` and :py:const:`OPT_X_TLS_REQUIRE_CERT`
319+
320+
.. py:data:: OPT_X_TLS_NEWCTX
321+
322+
set and apply TLS settings to underlying TLS context
323+
324+
.. py:data:: OPT_X_TLS_NONE
325+
326+
Value for :py:const:`OPT_X_TLS_CRLCHECK`
327+
328+
.. py:data:: OPT_X_TLS_PACKAGE
329+
330+
Get TLS implementation, known values are
331+
332+
* ``GnuTLS``
333+
* ``MozNSS`` (Mozilla NSS)
334+
* ``OpenSSL``
335+
336+
.. py:data:: OPT_X_TLS_PEER
337+
338+
Value for :py:const:`OPT_X_TLS_CRLCHECK`
339+
340+
.. py:data:: OPT_X_TLS_PEERCERT
341+
342+
Get peer's certificate as BER/DER data structure (not supported)
343+
344+
.. py:data:: OPT_X_TLS_PROTOCOL_MIN
345+
346+
get/set minimum protocol version (wire protocol version as int)
347+
348+
* ``0x300`` for SSL 3.0
349+
* ``0x301`` for TLS 1.0
350+
* ``0x302`` for TLS 1.1
351+
* ``0x303`` for TLS 1.2
352+
* ``0x304`` for TLS 1.3
353+
245354
.. py:data:: OPT_X_TLS_RANDOM_FILE
246355
356+
get/set path to /dev/urandom (**DO NOT USE**)
357+
247358
.. py:data:: OPT_X_TLS_REQUIRE_CERT
248359
360+
get/set validation strategy for server cert.
361+
362+
:py:const:`OPT_X_TLS_NEVER`
363+
Don't check server cert and host name
364+
365+
:py:const:`OPT_X_TLS_ALLOW`
366+
Ignore cert validation errors and don't check host name
367+
368+
:py:const:`OPT_X_TLS_TRY`
369+
This value is only used by slapd server internally. (**DO NOT USE**)
370+
371+
:py:const:`OPT_X_TLS_DEMAND`
372+
Validate peer cert chain and host name
373+
374+
:py:const:`OPT_X_TLS_HARD`
375+
Same as :py:const:`OPT_X_TLS_DEMAND`
376+
249377
.. py:data:: OPT_X_TLS_TRY
250378
379+
Value for :py:const:`OPT_X_TLS_REQUIRE_CERT`
380+
381+
.. py:data:: OPT_X_TLS_VERSION
382+
383+
Get negotiated TLS protocol version as string
384+
251385
.. _ldap-keepalive-options:
252386

253387
Keepalive options

Doc/spelling_wordlist.txt

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -38,6 +38,7 @@ defresult
3838
dereferenced
3939
dereferencing
4040
desc
41+
dev
4142
directoryOperation
4243
distinguished
4344
distributedOperation
@@ -143,6 +144,7 @@ UDP
143144
Umich
144145
unparsing
145146
unsigend
147+
urandom
146148
uri
147149
urlPrefix
148150
urlscheme

Lib/ldap/constants.py

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -281,7 +281,6 @@ class Str(Constant):
281281
TLSInt('OPT_X_TLS_DEMAND'),
282282
TLSInt('OPT_X_TLS_ALLOW'),
283283
TLSInt('OPT_X_TLS_TRY'),
284-
TLSInt('OPT_X_TLS_PEERCERT', optional=True),
285284

286285
TLSInt('OPT_X_TLS_VERSION', optional=True),
287286
TLSInt('OPT_X_TLS_CIPHER', optional=True),

Makefile

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,10 @@ PYTHON_SUPP=/usr/share/doc/python3-devel/valgrind-python.supp
99
.NOTPARALLEL:
1010

1111
.PHONY: all
12-
all:
12+
all: Modules/constants_generated.h
13+
14+
Modules/constants_generated.h: Lib/ldap/constants.py
15+
$(PYTHON) $^ > $@
1316

1417
.PHONY: clean
1518
clean:

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy