4375: ActiveDirectoryBackend hard-codes insecure ldap

cretep

What version are you running?

2.5.3

What's the URL of the page containing the problem?

http://[reviewboard]/admin/settings/authentication/

What steps will reproduce the problem?

  1. Visit 'Authentication Settings' in admin section
  2. Set "Authentication Method" to "Active Directory"
  3. Set "Domain controller" to your DCs with port 636, eg. "mydc01.example.com:636 mydc02.example.com:636"
  4. Attempt to login will fail.
  5. Logs show "Active Directory: Domain controller is down"

Please provide any additional information below.

Port 636 is "LDAP over SSL". These URIs must have the schema "ldaps://", however "ldap://" is hard-coded into reviewboard auth:

reviewboard/accounts/backend.py
class ActiveDirectoryBackend
def get_ldap_connections
ldap_uri = 'ldap://%s:%s' % (host, port)

Users should be able to supply the full ldap_uri in settings.AD_DOMAIN_CONTROLLER, rather than code piecing it together later. (Even better, ldaps:// should be the default for auto-discovery.)

Additionally, because AD certificates are typically self-signed, users should be able to supply certificates. Unrecognised certificates will also cause the "Domain controller is down" failure. Unfortunately it appears difficult to supply certificates system-wide for Python LDAP library use. Currently I add two lines before ldap.initialize(ldap_uri):

ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_DEMAND)
ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, '/path/to/mydc01.example.com.crt')

david
#1 david
  • -New
    +Fixed