Merge pull request #154 from dm3ch/ldap-tls

Add support for LDAP tls

.env.example.ldap

@@ -53,6 +53,19 @@ LDAP_BIND_PASSWORD="password"
 ## Page size for paginating LDAP query (default is 1000 for Active Directory)
 LDAP_SEARCH_PAGE_SIZE=1000
 
+## Use ssl. Optional, disabled by default.
+LDAP_USE_SSL=true
+## Path to private key file. Optional.
+LDAP_SSL_PRIVATE_KEY=private.key
+## Path to server certificate file. Optional.
+LDAP_SSL_CERTIFICATE=cert.pem
+## Validate server cert. Optional, requires cert by default.
+LDAP_SSL_VALIDATE=CERT_REQUIRED
+## Used SSL version. Optional, uses maximum supported version by default.
+LDAP_SSL_VERSION=PROTOCOL_TLS
+## CA certs path. Optional, if doesn't specified system CA used.
+LDAP_SSL_CA_CERTS=cacert.b64
+
 #########################
 ## Additional settings ##
 #########################

README.md

@@ -18,7 +18,7 @@ This utility provides the following functionality:
 | --- | --- | --- |
 | Sync Users | Yes | Add or remove users from `Teams` in GitHub to keep in sync with Active Directory groups |
 | Dynamic Config | Yes | Utilize a `settings` file to derive Active Directory and GitHub settings |
-| LDAP SSL | No | SSL or TLS connections. This is a WIP |
+| LDAP SSL | Yes | SSL or TLS connections. |
 | Failure notifications | Yes | Presently supports opening a GitHub issue when sync failed. The repo is configurable. |
 | Sync on new team | Yes | Synchronize users when a new team is created |
 | Sync on team edit | No | This event is not processed currently |

githubapp/ldap.py

@@ -3,7 +3,8 @@ import traceback
 import sys
 import json
 import logging
-from ldap3 import Server, Connection, ALL
+import ssl
+from ldap3 import Server, Connection, Tls, ALL
 from ldap3.utils.conv import escape_filter_chars
 from pprint import pprint
 
@@ -41,8 +42,33 @@ class LDAPClient:
             raise Exception("LDAP credentials have not been specified")
 
         self.USER_SYNC_ATTRIBUTE = os.environ["USER_SYNC_ATTRIBUTE"]
+        
+        self.LDAP_USE_SSL = bool(os.environ("LDAP_USE_SSL", False))
+        if self.LDAP_USE_SSL:
+            self.LDAP_SSL_PRIVATE_KEY = os.environ.get('LDAP_SSL_PRIVATE_KEY')
+            self.LDAP_SSL_CERTIFICATE = os.environ.get('LDAP_SSL_CERTIFICATE')
+            try:
+                self.LDAP_SSL_VALIDATE = ssl.VerifyMode[os.environ.get('LDAP_SSL_VALIDATE', 'CERT_REQUIRED')]
+            except KeyError:
+                raise Exception(f"LDAP_SSL_VALIDATE valid options are {ssl.VerifyMode._member_names_}")
+            try:
+                self.LDAP_SSL_VERSION = ssl._SSLMethod[os.environ.get('LDAP_SSL_VERSION', 'PROTOCOL_TLS')]
+            except KeyError:
+                raise Exception(f"LDAP_SSL_VERSION valid options are {ssl._SSLMethod._member_names_}")
+            self.LDAP_SSL_CA_CERTS = os.environ.get('LDAP_SSL_CA_CERTS')
+            self.tls = Tls(
+                local_private_key_file = self.LDAP_SSL_PRIVATE_KEY, 
+                local_certificate_file = self.LDAP_SSL_CERTIFICATE,
+                validate = self.LDAP_SSL_VALIDATE,
+                version = self.LDAP_SSL_VERSION,
+                ca_certs_file = self.LDAP_SSL_CA_CERTS
+            )
+        else:
+            self.tls = None
+
+        self.srv = Server(host = self.LDAP_SERVER_HOST, port = self.LDAP_SERVER_HOST, use_ssl = self.USE_SSL, tls = self.tls)
         self.conn = Connection(
-            self.LDAP_SERVER_HOST,
+            self.srv,
             user=self.LDAP_BIND_USER,
             password=self.LDAP_BIND_PASSWORD,
             auto_bind=True,