Merge pull request #154 from dm3ch/ldap-tls

Add support for LDAP tls
2023-08-17 17:02:16 -04:00 · 2023-08-17 17:02:16 -04:00 · 713b364a79
--- a/.env.example.ldap
+++ b/.env.example.ldap
@ -53,6 +53,19 @@ LDAP_BIND_PASSWORD="password"
 ## Page size for paginating LDAP query (default is 1000 for Active Directory)
 LDAP_SEARCH_PAGE_SIZE=1000

+## Use ssl. Optional, disabled by default.
+LDAP_USE_SSL=true
+## Path to private key file. Optional.
+LDAP_SSL_PRIVATE_KEY=private.key
+## Path to server certificate file. Optional.
+LDAP_SSL_CERTIFICATE=cert.pem
+## Validate server cert. Optional, requires cert by default.
+LDAP_SSL_VALIDATE=CERT_REQUIRED
+## Used SSL version. Optional, uses maximum supported version by default.
+LDAP_SSL_VERSION=PROTOCOL_TLS
+## CA certs path. Optional, if doesn't specified system CA used.
+LDAP_SSL_CA_CERTS=cacert.b64
+
 #########################
 ## Additional settings ##
 #########################
--- a/README.md
+++ b/README.md
@ -18,7 +18,7 @@ This utility provides the following functionality:
 | --- | --- | --- |
 | Sync Users | Yes | Add or remove users from `Teams` in GitHub to keep in sync with Active Directory groups |
 | Dynamic Config | Yes | Utilize a `settings` file to derive Active Directory and GitHub settings |
-| LDAP SSL | No | SSL or TLS connections. This is a WIP |
+| LDAP SSL | Yes | SSL or TLS connections. |
 | Failure notifications | Yes | Presently supports opening a GitHub issue when sync failed. The repo is configurable. |
 | Sync on new team | Yes | Synchronize users when a new team is created |
 | Sync on team edit | No | This event is not processed currently |
--- a/githubapp/ldap.py
+++ b/githubapp/ldap.py
@ -3,7 +3,8 @@ import traceback
 import sys
 import json
 import logging
-from ldap3 import Server, Connection, ALL
+import ssl
+from ldap3 import Server, Connection, Tls, ALL
 from ldap3.utils.conv import escape_filter_chars
 from pprint import pprint

@ -41,8 +42,33 @@ class LDAPClient:
            raise Exception("LDAP credentials have not been specified")

        self.USER_SYNC_ATTRIBUTE = os.environ["USER_SYNC_ATTRIBUTE"]
+        
+        self.LDAP_USE_SSL = bool(os.environ("LDAP_USE_SSL", False))
+        if self.LDAP_USE_SSL:
+            self.LDAP_SSL_PRIVATE_KEY = os.environ.get('LDAP_SSL_PRIVATE_KEY')
+            self.LDAP_SSL_CERTIFICATE = os.environ.get('LDAP_SSL_CERTIFICATE')
+            try:
+                self.LDAP_SSL_VALIDATE = ssl.VerifyMode[os.environ.get('LDAP_SSL_VALIDATE', 'CERT_REQUIRED')]
+            except KeyError:
+                raise Exception(f"LDAP_SSL_VALIDATE valid options are {ssl.VerifyMode._member_names_}")
+            try:
+                self.LDAP_SSL_VERSION = ssl._SSLMethod[os.environ.get('LDAP_SSL_VERSION', 'PROTOCOL_TLS')]
+            except KeyError:
+                raise Exception(f"LDAP_SSL_VERSION valid options are {ssl._SSLMethod._member_names_}")
+            self.LDAP_SSL_CA_CERTS = os.environ.get('LDAP_SSL_CA_CERTS')
+            self.tls = Tls(
+                local_private_key_file = self.LDAP_SSL_PRIVATE_KEY, 
+                local_certificate_file = self.LDAP_SSL_CERTIFICATE,
+                validate = self.LDAP_SSL_VALIDATE,
+                version = self.LDAP_SSL_VERSION,
+                ca_certs_file = self.LDAP_SSL_CA_CERTS
+            )
+        else:
+            self.tls = None
+
+        self.srv = Server(host = self.LDAP_SERVER_HOST, port = self.LDAP_SERVER_HOST, use_ssl = self.USE_SSL, tls = self.tls)
        self.conn = Connection(
-            self.LDAP_SERVER_HOST,
+            self.srv,
            user=self.LDAP_BIND_USER,
            password=self.LDAP_BIND_PASSWORD,
            auto_bind=True,