Add new env parameter to set ldap ca cert file

2022-01-31 19:34:32 +01:00 · 2022-01-31 19:34:32 +01:00 · 505bac514f
commit 505bac514f
parent 8216d0c025
3 changed files with 4 additions and 0 deletions
--- a/.env.template
+++ b/.env.template
@ -146,6 +146,7 @@ REVERSE_PROXY_AUTH=0
 #AUTH_LDAP_BIND_DN=
 #AUTH_LDAP_BIND_PASSWORD=
 #AUTH_LDAP_USER_SEARCH_BASE_DN=
+#AUTH_LDAP_TLS_CACERTFILE=

 # Enables exporting PDF (see export docs)
 # Disabled by default, uncomment to enable
--- a/docs/features/authentication.md
+++ b/docs/features/authentication.md
@ -96,6 +96,7 @@ AUTH_LDAP_USER_SEARCH_FILTER_STR=(uid=%(user)s)
 AUTH_LDAP_USER_ATTR_MAP={'first_name': 'givenName', 'last_name': 'sn', 'email': 'mail'}
 AUTH_LDAP_ALWAYS_UPDATE_USER=1
 AUTH_LDAP_CACHE_TIMEOUT=3600
+AUTH_LDAP_TLS_CACERTFILE=/etc/ssl/certs/own-ca.pem
 ```

 ## Reverse Proxy Authentication
--- a/recipes/settings.py
+++ b/recipes/settings.py
@ -186,6 +186,8 @@ if LDAP_AUTH:
    }
    AUTH_LDAP_ALWAYS_UPDATE_USER = bool(int(os.getenv('AUTH_LDAP_ALWAYS_UPDATE_USER', True)))
    AUTH_LDAP_CACHE_TIMEOUT = int(os.getenv('AUTH_LDAP_CACHE_TIMEOUT', 3600))
+    if 'AUTH_LDAP_TLS_CACERTFILE' in os.environ:
+        AUTH_LDAP_GLOBAL_OPTIONS = { ldap.OPT_X_TLS_CACERTFILE: os.getenv('AUTH_LDAP_TLS_CACERTFILE') }

 AUTHENTICATION_BACKENDS += [
    'django.contrib.auth.backends.ModelBackend',