Skip to content

Process missing libldap options #461

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 8 commits into from
Apr 20, 2022
Merged

Process missing libldap options #461

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
0a0a46d
Check whether libldap is threadsafe on startup.
mistotebe Jan 27, 2022
e80bb65
Regenerate Modules/constants_generated.h
mistotebe Feb 1, 2022
bb7465f
Fix LDAP_VENDOR_VERSION check
mistotebe Feb 1, 2022
532e7ae
Implement support for OPT_X_TLS_PEERCERT
tiran Sep 16, 2021
cfe3a2a
Use regex to locate PEM body
tiran Sep 18, 2021
77c94dd
Process missing libldap options
mistotebe Feb 14, 2022
1625c99
In liblber {0, ""} corresponds to b'' and {0, NULL} corresponds to None
mistotebe Feb 14, 2022
a1cb883
Add TLS version numbers and remove unsupported TLS options
mistotebe Apr 6, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
69 changes: 52 additions & 17 deletions Doc/reference/ldap.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -372,21 +372,27 @@ TLS options
.. py:data:: OPT_X_TLS_ALLOW

Value for :py:const:`OPT_X_TLS_REQUIRE_CERT`
and :py:const:`OPT_X_TLS_REQUIRE_SAN`

.. py:data:: OPT_X_TLS_DEMAND

Value for :py:const:`OPT_X_TLS_REQUIRE_CERT`
and :py:const:`OPT_X_TLS_REQUIRE_SAN`

.. py:data:: OPT_X_TLS_HARD

Value for :py:const:`OPT_X_TLS_REQUIRE_CERT`
and :py:const:`OPT_X_TLS_REQUIRE_SAN`

.. py:data:: OPT_X_TLS_NEVER

Value for :py:const:`OPT_X_TLS_REQUIRE_CERT`
and :py:const:`OPT_X_TLS_REQUIRE_SAN`

.. py:data:: OPT_X_TLS_TRY

Value for :py:const:`OPT_X_TLS_REQUIRE_CERT`

.. deprecated:: 3.3.0
This value is only used by slapd server internally. It will be removed
in the future.
Expand All @@ -400,20 +406,60 @@ TLS options

get/set allowed cipher suites

.. py:data:: OPT_X_TLS_CTX
.. py:data:: OPT_X_TLS_PEERCERT

get address of internal memory address of TLS context (**DO NOT USE**)
Get peer's certificate as binary ASN.1 data structure (DER)

.. py:data:: OPT_X_TLS_PEERCERT
.. versionadded:: 3.4.1

Get peer's certificate as binary ASN.1 data structure (not supported)
.. note::
The option leaks memory with OpenLDAP < 2.5.8.

.. py:data:: OPT_X_TLS_PROTOCOL_MIN

get/set minimum protocol version (wire protocol version as int)

* ``0x303`` for TLS 1.2
* ``0x304`` for TLS 1.3
.. py:data:: OPT_X_TLS_PROTOCOL_MAX

get/set maximum protocol version (wire protocol version as int),
available in OpenSSL 2.5 and newer.

.. versionadded:: 3.4.1

.. py:data:: OPT_X_TLS_PROTOCOL_SSL3

Value for :py:const:`OPT_X_TLS_PROTOCOL_MIN` and
:py:const:`OPT_X_TLS_PROTOCOL_MAX`, represents SSL 3

.. versionadded:: 3.4.1

.. py:data:: OPT_X_TLS_PROTOCOL_TLS1_0

Value for :py:const:`OPT_X_TLS_PROTOCOL_MIN` and
:py:const:`OPT_X_TLS_PROTOCOL_MAX`, represents TLS 1.0

.. versionadded:: 3.4.1

.. py:data:: OPT_X_TLS_PROTOCOL_TLS1_1

Value for :py:const:`OPT_X_TLS_PROTOCOL_MIN` and
:py:const:`OPT_X_TLS_PROTOCOL_MAX`, represents TLS 1.1

.. versionadded:: 3.4.1

.. py:data:: OPT_X_TLS_PROTOCOL_TLS1_2

Value for :py:const:`OPT_X_TLS_PROTOCOL_MIN` and
:py:const:`OPT_X_TLS_PROTOCOL_MAX`, represents TLS 1.2

.. versionadded:: 3.4.1

.. py:data:: OPT_X_TLS_PROTOCOL_TLS1_3

Value for :py:const:`OPT_X_TLS_PROTOCOL_MIN` and
:py:const:`OPT_X_TLS_PROTOCOL_MAX`, represents TLS 1.3

.. versionadded:: 3.4.1

.. py:data:: OPT_X_TLS_VERSION

Expand All @@ -423,12 +469,6 @@ TLS options

get/set path to /dev/urandom (**DO NOT USE**)

.. py:data:: OPT_X_TLS

.. deprecated:: 3.3.0
The option is deprecated in OpenLDAP and should no longer be used. It
will be removed in the future.

.. note::

OpenLDAP supports several TLS/SSL libraries. OpenSSL is the most common
Expand Down Expand Up @@ -918,11 +958,6 @@ and wait for and return with the server's result, or with

The *dn* and *attr* arguments are text strings; see :ref:`bytes_mode`.

.. note::

A design fault in the LDAP API prevents *value*
from containing *NULL* characters.


.. py:method:: LDAPObject.delete(dn) -> int

Expand Down
17 changes: 13 additions & 4 deletions Lib/ldap/constants.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -244,6 +244,7 @@ class Str(Constant):
Int('OPT_SIZELIMIT'),
Int('OPT_TIMELIMIT'),
Int('OPT_REFERRALS', optional=True),
Int('OPT_RESULT_CODE'),
Int('OPT_ERROR_NUMBER'),
Int('OPT_RESTART'),
Int('OPT_PROTOCOL_VERSION'),
Expand All @@ -261,12 +262,11 @@ class Str(Constant):
Int('OPT_TIMEOUT'),
Int('OPT_REFHOPLIMIT'),
Int('OPT_NETWORK_TIMEOUT'),
Int('OPT_TCP_USER_TIMEOUT', optional=True),
Int('OPT_URI'),

Int('OPT_DEFBASE', optional=True),

TLSInt('OPT_X_TLS', optional=True),
TLSInt('OPT_X_TLS_CTX'),
TLSInt('OPT_X_TLS_CACERTFILE'),
TLSInt('OPT_X_TLS_CACERTDIR'),
TLSInt('OPT_X_TLS_CERTFILE'),
Expand Down Expand Up @@ -299,8 +299,19 @@ class Str(Constant):
TLSInt('OPT_X_TLS_PACKAGE', optional=True),

# Added in OpenLDAP 2.4.52
TLSInt('OPT_X_TLS_ECNAME', optional=True),
TLSInt('OPT_X_TLS_REQUIRE_SAN', optional=True),

# Added in OpenLDAP 2.5
TLSInt('OPT_X_TLS_PEERCERT', optional=True),
TLSInt('OPT_X_TLS_PROTOCOL_MAX', optional=True),

TLSInt('OPT_X_TLS_PROTOCOL_SSL3', optional=True),
TLSInt('OPT_X_TLS_PROTOCOL_TLS1_0', optional=True),
TLSInt('OPT_X_TLS_PROTOCOL_TLS1_1', optional=True),
TLSInt('OPT_X_TLS_PROTOCOL_TLS1_2', optional=True),
TLSInt('OPT_X_TLS_PROTOCOL_TLS1_3', optional=True),

Int('OPT_X_SASL_MECH'),
Int('OPT_X_SASL_REALM'),
Int('OPT_X_SASL_AUTHCID'),
Expand Down Expand Up @@ -341,9 +352,7 @@ class Str(Constant):
# XXX - these should be errors
Int('URL_ERR_BADSCOPE'),
Int('URL_ERR_MEM'),
# Int('LIBLDAP_R'),

Feature('LIBLDAP_R', 'HAVE_LIBLDAP_R'),
Feature('SASL_AVAIL', 'HAVE_SASL'),
Feature('TLS_AVAIL', 'HAVE_TLS'),
Feature('INIT_FD_AVAIL', 'HAVE_LDAP_INIT_FD'),
Expand Down
2 changes: 1 addition & 1 deletion Modules/berval.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ LDAPberval_to_object(const struct berval *bv)
{
PyObject *ret = NULL;

if (!bv) {
if (!bv || !bv->bv_val) {
ret = Py_None;
Py_INCREF(ret);
}
Expand Down
2 changes: 1 addition & 1 deletion Modules/common.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@
#include <ldap.h>
#include <ldap_features.h>

#if LDAP_API_VERSION < 2040
#if LDAP_VENDOR_VERSION < 20400
#error Current python-ldap requires OpenLDAP 2.4.x
#endif

Expand Down
10 changes: 10 additions & 0 deletions Modules/constants.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -197,6 +197,8 @@ int
LDAPinit_constants(PyObject *m)
{
PyObject *exc, *nobj;
struct ldap_apifeature_info info = { 1, "X_OPENLDAP_THREAD_SAFE", 0 };
int thread_safe = 0;

/* simple constants */

Expand All @@ -221,6 +223,14 @@ LDAPinit_constants(PyObject *m)
return -1;
Py_INCREF(LDAPexception_class);

#ifdef LDAP_API_FEATURE_X_OPENLDAP_THREAD_SAFE
if (ldap_get_option(NULL, LDAP_OPT_API_FEATURE_INFO, &info) == LDAP_SUCCESS) {
thread_safe = (info.ldapaif_version == 1);
}
#endif
if (PyModule_AddIntConstant(m, "LIBLDAP_R", thread_safe) != 0)
return -1;

/* Generated constants -- see Lib/ldap/constants.py */

#define add_err(n) do { \
Expand Down
Loading