Merge branch '27-secure-ldap' into 'master'

Support authenticating with the LDAP server over SSL Closes #27 See merge request !17

Merge branch '27-secure-ldap' into 'master'
eb427747 · Dr Rich Wareham · d12c8bbe · a75a2cf6 · eb427747 · eb427747
Commit eb427747 authored 4 years ago by Dr Rich Wareham
--- a/configuration-example.yaml
+++ b/configuration-example.yaml
@@ -144,6 +144,18 @@ ldap:
  # Scheme and hostname of the LDAP server.
  host: 'ldaps://ldap.example.com'

+  # Credentials to be used when accessing the LDAP server from outside of the
+  # CUDN.
+  #
+  # When both username and password strings are specified, the sync tool will
+  # use SSL when connecting to the LDAP server, and will attempt to
+  # authenticate with these credentials.
+  #
+  # The username and password properties should _not_ be specified when running
+  # the sync tool inside the CUDN (which includes running in the CI pipeline).
+  username: null
+  password: null
+
  # LDAP search base for users. Person filters are always relative to this.
  user_search_base: 'ou=people,o=example-corps,dc=example,dc=com'


--- a/gsuitesync/ldap.py
+++ b/gsuitesync/ldap.py
@@ -36,6 +36,10 @@ class Configuration(ConfigurationDataclassMixin):

    eligible_inst_filter: str

+    username: str = None
+
+    password: str = None
+
    managed_user_filter: typing.Union[str, None] = None

    managed_group_filter: typing.Union[str, None] = None
@@ -168,8 +172,24 @@ class Configuration(ConfigurationDataclassMixin):
        return managed_insts

    def _search(self, *, search_base, search_filter, attributes):
-        ldap_server = ldap3.Server(self.host)
-        with ldap3.Connection(ldap_server, auto_bind=True) as conn:
+        # Use SSL to access the LDAP server when authentication credentials
+        # have been configured
+        use_ssl = self.username and self.password
+        ldap_server = ldap3.Server(self.host, use_ssl=use_ssl)
+
+        # Keyword arguments to pass to ldap3.Connection
+        connection_kwargs = {
+            'auto_bind': True
+        }
+
+        # Add authentication credentials if configured
+        if self.username:
+            connection_kwargs['username'] = self.username
+        if self.password:
+            connection_kwargs['password'] = self.password
+
+        # Connect to the LDAP server and perform the query
+        with ldap3.Connection(ldap_server, **connection_kwargs) as conn:
            return conn.extend.standard.paged_search(
                search_base, search_filter, paged_size=1000, attributes=attributes)


--- a/tox.sh
+++ b/tox.sh
+#!/bin/sh
+#
+# Wrapper script to run tox. Arguments are passed directly to tox.
+
+# Exit on failure
+set -e
+
+# Change to this script's directory
+cd "$( dirname "$0")"
+
+# Execute tox runner, logging command used
+set -x
+docker build -t gsuite-synctool .
+docker run -it --rm -e TOXINI_SITEPACKAGES=True --entrypoint /bin/sh gsuite-synctool -c "tox $*"
\ No newline at end of file