Merge pull request #246 from FlipperPA/bugfix/tls-on-server-not-connection

etianen · web-flow · commit 948319eb25dd · 2022-06-25T12:16:21.000+01:00
Bug fix: TLS object must go on the server, not connection.
diff --git a/README.rst b/README.rst
@@ -1,7 +1,7 @@
 django-python3-ldap
 ===================
 
-**django-python3-ldap** provides a Django LDAP user authentication backend.
+**django-python3-ldap** provides a Django LDAP user authentication backend. Python 3.6+ is required.
 
 
 Features
diff --git a/django_python3_ldap/conf.py b/django_python3_ldap/conf.py
@@ -1,6 +1,7 @@
 """
 Settings used by django-python3.
 """
+from ssl import PROTOCOL_TLS
 
 from django.conf import settings
 
@@ -45,7 +46,7 @@ def __init__(self, settings):
 
     LDAP_AUTH_TLS_VERSION = LazySetting(
         name="LDAP_AUTH_TLS_VERSION",
-        default="SSLv3",
+        default=PROTOCOL_TLS,
     )
 
     LDAP_AUTH_SEARCH_BASE = LazySetting(
diff --git a/django_python3_ldap/ldap.py b/django_python3_ldap/ldap.py
@@ -156,29 +156,32 @@ def connection(**kwargs):
     if not isinstance(auth_url, list):
         auth_url = [auth_url]
     for u in auth_url:
+        # Include SSL / TLS, if requested.
+        server_args = {
+            "allowed_referral_hosts": [("*", True)],
+            "get_info": ldap3.NONE,
+            "connect_timeout": settings.LDAP_AUTH_CONNECT_TIMEOUT,
+        }
+        if settings.LDAP_AUTH_USE_TLS:
+            server_args["tls"] = ldap3.Tls(
+                ciphers="ALL",
+                version=settings.LDAP_AUTH_TLS_VERSION,
+            )
         server_pool.add(
             ldap3.Server(
                 u,
-                allowed_referral_hosts=[("*", True)],
-                get_info=ldap3.NONE,
-                connect_timeout=settings.LDAP_AUTH_CONNECT_TIMEOUT,
+                **server_args,
             )
         )
     # Connect.
     try:
-        # Include SSL / TLS, if requested.
         connection_args = {
             "user": username,
             "password": password,
             "auto_bind": False,
             "raise_exceptions": True,
             "receive_timeout": settings.LDAP_AUTH_RECEIVE_TIMEOUT,
         }
-        if settings.LDAP_AUTH_USE_TLS:
-            connection_args["tls"] = ldap3.Tls(
-                ciphers='ALL',
-                version=settings.LDAP_AUTH_TLS_VERSION,
-            )
         c = ldap3.Connection(
             server_pool,
             **connection_args,
