From db7345c76e662387565c960cf2b685c031800a54 Mon Sep 17 00:00:00 2001 From: Mathieu Rollet Date: Tue, 19 Jan 2021 16:36:25 +0100 Subject: [PATCH] Support CA cert file by setting an env variable Add the option to use a CA cert file by setting the environment variable with the path to the CA cert file. Reference documentation here : https://www.python-ldap.org/en/python-ldap-3.3.0/reference/ldap.html#tls-options --- README.md | 4 ++++ nginx-ldap-auth-daemon.py | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/README.md b/README.md index 531aff9..73dd19c 100644 --- a/README.md +++ b/README.md @@ -48,6 +48,10 @@ To install and configure the reference implementation, perform the following ste ``` docker build -t nginx-ldap-auth-daemon --build-arg PYTHON_VERSION=3 . ``` + If you want to use a CA certification file for validating the LDAP authentication server when using TLS, you can set the `LDAP_CA_CERT` environment variable in the environment running the authentication daemon. With the Docker container, you can do: + ``` + docker run -e LDAP_CA_CERT='/path/to/cacert/file' nginx-ldap-auth-daemon + ``` - **nginx-ldap-auth-daemon-ctl.sh** – Sample shell script for starting and stopping the daemon. Install on the same host as the ldap-auth daemon. diff --git a/nginx-ldap-auth-daemon.py b/nginx-ldap-auth-daemon.py index 388364c..71875dd 100755 --- a/nginx-ldap-auth-daemon.py +++ b/nginx-ldap-auth-daemon.py @@ -218,6 +218,10 @@ def do_GET(self): # Establish a STARTTLS connection if required by the # headers. if ctx['starttls'] == 'true': + cacert_file = os.getenv("LDAP_CA_CERT") + if cacert_file: + ldap_obj.set_option(ldap.OPT_X_TLS_CACERTFILE, cacert_file) + ldap_obj.set_option(ldap.OPT_X_TLS_NEWCTX, 0) ldap_obj.start_tls_s() # See https://www.python-ldap.org/en/latest/faq.html