Allows overriding the SSL/TLS version.

Author: FlipperPA

README.rst

@@ -37,6 +37,10 @@ Available settings
     # Initiate TLS on connection.
     LDAP_AUTH_USE_TLS = False
 
+    # Specify which TLS version to use (Python 3.10 requires TLSv1 or higher)
+    import ssl
+    LDAP_AUTH_TLS_VERSION = ssl.PROTOCOL_TLSv1_2
+
     # The LDAP search base for looking up users.
     LDAP_AUTH_SEARCH_BASE = "ou=people,dc=example,dc=com"
 

django_python3_ldap/conf.py

@@ -43,6 +43,11 @@ def __init__(self, settings):
         default=False,
     )
 
+    LDAP_AUTH_TLS_VERSION = LazySetting(
+        name="LDAP_AUTH_TLS_VERSION",
+        default="SSLv3",
+    )
+
     LDAP_AUTH_SEARCH_BASE = LazySetting(
         name="LDAP_AUTH_SEARCH_BASE",
         default="ou=people,dc=example,dc=com",

django_python3_ldap/ldap.py

@@ -166,23 +166,28 @@ def connection(**kwargs):
         )
     # Connect.
     try:
+        # Include SSL / TLS, if requested.
+        if settings.LDAP_AUTH_USE_TLS:
+            tls = ldap3.Tls(
+                ciphers='ALL',
+                version=settings.LDAP_AUTH_TLS_VERSION,
+            )
+
         c = ldap3.Connection(
             server_pool,
             user=username,
             password=password,
             auto_bind=False,
             raise_exceptions=True,
             receive_timeout=settings.LDAP_AUTH_RECEIVE_TIMEOUT,
+            tls=tls,
         )
     except LDAPException as ex:
         logger.warning("LDAP connect failed: {ex}".format(ex=ex))
         yield None
         return
     # Configure.
     try:
-        # Start TLS, if requested.
-        if settings.LDAP_AUTH_USE_TLS:
-            c.start_tls(read_server_info=False)
         # Perform initial authentication bind.
         c.bind(read_server_info=True)
         # If the settings specify an alternative username and password for querying, rebind as that.