Improve TLS support for Active Directory.

Review Request #11896 — Created Dec. 17, 2021 and submitted

Information

Review Board
release-4.0.x

Reviewers

The Active Directory support was largely built around ldap:// URIs,
rather than supporting ldaps://. This did attempt to invoke TLS
support, which would switch over to a secure connection if available,
but that either wasn't working or didn't work in all configurations.

This change reworks the TLS support to do a few things:

1) Assign a default port of 636 (the LDAP TLS port) if an explicit port
was not provided and TLS was enabled.

2) Assume TLS if the port is 636 (even if TLS is not enabled -- mostly
intended for DNS-based AD domain controller lookup).

3) Specifically opt into LDAP 3, which should be safe for modern usage
(and we opt into it for the standard LDAP backend). This is
documented as being the default anyway, but it's better to opt into
it.

4) Use ldaps:// when TLS is enabled.

5) Avoid calling start_tls_s(), which may not be required for ldaps://
URLs (and appears to cause errors stating that TLS has already been
started with ldaps://). Based on other python-ldap examples for
Active Directory, it seems this should not be required.

Unit tests passed.

Tested this with a customer using TLS, with and without an explicit
port configured. Tested that start_tls_s() failed with a ldaps://
URI and that TLS support worked with ldaps:// without start_tls_s().

Summary ID
Improve TLS support for Active Directory.
The Active Directory support was largely built around `ldap://` URIs, rather than supporting `ldaps://`. This did attempt to invoke TLS support, which would switch over to a secure connection if available, but that either wasn't working or didn't work in all configurations. This change reworks the TLS support to do a few things: 1) Assign a default port of 636 (the LDAP TLS port) if an explicit port was not provided and TLS was enabled. 2) Assume TLS if the port is 636 (even if TLS is not enabled -- mostly intended for DNS-based AD domain controller lookup). 3) Specifically opt into LDAP 3, which should be safe for modern usage (and we opt into it for the standard LDAP backend). This is documented as being the default anyway, but it's better to opt into it. 4) Use `ldaps://` when TLS is enabled. 5) Avoid calling `start_tls_s()`, which may not be required for `ldaps://` URLs (and appears to cause errors stating that TLS has already been started with `ldaps://`). Based on other python-ldap examples for Active Directory, it seems this should not be required.
d2380ff99a7a05b497bc09b0006c0a950daf1d4e
Description From Last Updated

F841 local variable 'E' is assigned to but never used

reviewbotreviewbot
Checks run (1 failed, 1 succeeded)
flake8 failed.
JSHint passed.

flake8

chipx86
david
  1. Ship It!
  2. 
      
chipx86
Review request changed
Status:
Completed
Change Summary:
Pushed to release-4.0.x (5f67587)