Module: check_mk
Branch: master
Commit: eaabcd13a85e8897a4ce8f78355a747bb4f6987b
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=eaabcd13a85e88…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Fri Jun 30 11:15:17 2017 +0200
4926 FIX LDAP: Use Check_MK trusted certificate authorities for validating certificates
When using SSL encrypted SSL connections the trusted certificate authorities configured
in the global setting are now used.
Change-Id: I318823d98bfbbbe8f1a97a4e87fd1278c4954170
---
.werks/4926 | 12 ++++++++++++
web/htdocs/wato.py | 12 +++++-------
web/plugins/userdb/ldap.py | 20 ++++++++++++++++++--
3 files changed, 35 insertions(+), 9 deletions(-)
diff --git a/.werks/4926 b/.werks/4926
new file mode 100644
index 0000000..0b6522c
--- /dev/null
+++ b/.werks/4926
@@ -0,0 +1,12 @@
+Title: LDAP: Use Check_MK trusted certificate authorities for validating certificates
+Level: 1
+Component: wato
+Class: fix
+Compatible: compat
+Edition: cre
+State: unknown
+Version: 1.5.0i1
+Date: 1498813939
+
+When using SSL encrypted SSL connections the trusted certificate authorities configured
+in the global setting are now used.
diff --git a/web/htdocs/wato.py b/web/htdocs/wato.py
index 4666224..fcc4a11 100644
--- a/web/htdocs/wato.py
+++ b/web/htdocs/wato.py
@@ -6237,13 +6237,10 @@ def vs_ldap_connection(new, connection_id):
)),
("use_ssl", FixedValue(
title = _("Use SSL"),
- help = _("Connect to the LDAP server with a SSL encrypted connection.
You might need "
- "to configure the OpenLDAP installation on your monitoring
server to accept "
- "the certificates of the LDAP server. This is normally done
via system wide "
- "configuration of the CA certificate which signed the
certificate of the LDAP "
- "server. Please refer to the <a
target=\"_blank\" "
-
"href=\"https://mathias-kettner.com/checkmk_multisite_ldap_integration.html\">"
- "documentation</a> for details."),
+ help = _("Connect to the LDAP server with a SSL encrypted connection.
The "
+ "<a
href=\"wato.py?mode=edit_configvar&site=&varname=trusted_certificate_authorities\">trusted
"
+ "certificates authorities</a> configured in Check_MK
will be used to validate the "
+ "certificate provided by the LDAP server."),
value = True,
totext = _("Encrypt the network connection using SSL."),
)),
@@ -6705,6 +6702,7 @@ def mode_edit_ldap_connection(phase):
except Exception, e:
state = False
msg = _('Exception: %s') % html.render_text(e)
+ log_exception()
if state:
img = html.render_icon("success", _('Success'))
diff --git a/web/plugins/userdb/ldap.py b/web/plugins/userdb/ldap.py
index cc68ed9..d0776dc 100644
--- a/web/plugins/userdb/ldap.py
+++ b/web/plugins/userdb/ldap.py
@@ -193,10 +193,20 @@ class LDAPUserConnector(UserConnector):
if self.is_active_directory():
conn.set_option(ldap.OPT_REFERRALS, 0)
+ conn.set_option(ldap.OPT_X_TLS_CACERTFILE,
+ "%s/var/ssl/ca-certificates.crt" %
cmk.paths.omd_root)
+
self.default_bind(conn)
return conn, None
+
except (ldap.SERVER_DOWN, ldap.TIMEOUT, ldap.LOCAL_ERROR, ldap.LDAPError), e:
- return None, '%s: %s' % (uri, e[0].get('info',
e[0].get('desc', '')))
+ if type(e[0]) == dict:
+ msg = e[0].get('info', e[0].get('desc', ''))
+ else:
+ msg = "%s" % e
+
+ return None, "%s: %s" % (uri, msg)
+
except MKLDAPException, e:
return None, "%s" % e
@@ -206,7 +216,13 @@ class LDAPUserConnector(UserConnector):
uri = 'ldaps://'
else:
uri = 'ldap://'
- return uri + '%s:%d' % (server, self._config.get('port', 389))
+
+ if "port" in self._config:
+ port_spec = ":%d" % self._config["port"]
+ else:
+ port_spec = ""
+
+ return uri + server + port_spec
def connect(self, enforce_new = False, enforce_server = None):