[checkmk-commits] 4926 FIX LDAP: Use Check_MK trusted certificate authorities for validating certificates

Lars Michelsen lm at mathias-kettner.de
Fri Jun 30 11:51:06 CEST 2017


Module: check_mk
Branch: master
Commit: eaabcd13a85e8897a4ce8f78355a747bb4f6987b
URL:    http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=eaabcd13a85e8897a4ce8f78355a747bb4f6987b

Author: Lars Michelsen <lm at mathias-kettner.de>
Date:   Fri Jun 30 11:15:17 2017 +0200

4926 FIX LDAP: Use Check_MK trusted certificate authorities for validating certificates

When using SSL encrypted SSL connections the trusted certificate authorities configured
in the global setting are now used.

Change-Id: I318823d98bfbbbe8f1a97a4e87fd1278c4954170

---

 .werks/4926                | 12 ++++++++++++
 web/htdocs/wato.py         | 12 +++++-------
 web/plugins/userdb/ldap.py | 20 ++++++++++++++++++--
 3 files changed, 35 insertions(+), 9 deletions(-)

diff --git a/.werks/4926 b/.werks/4926
new file mode 100644
index 0000000..0b6522c
--- /dev/null
+++ b/.werks/4926
@@ -0,0 +1,12 @@
+Title: LDAP: Use Check_MK trusted certificate authorities for validating certificates
+Level: 1
+Component: wato
+Class: fix
+Compatible: compat
+Edition: cre
+State: unknown
+Version: 1.5.0i1
+Date: 1498813939
+
+When using SSL encrypted SSL connections the trusted certificate authorities configured
+in the global setting are now used.
diff --git a/web/htdocs/wato.py b/web/htdocs/wato.py
index 4666224..fcc4a11 100644
--- a/web/htdocs/wato.py
+++ b/web/htdocs/wato.py
@@ -6237,13 +6237,10 @@ def vs_ldap_connection(new, connection_id):
         )),
         ("use_ssl", FixedValue(
             title  = _("Use SSL"),
-            help   = _("Connect to the LDAP server with a SSL encrypted connection. You might need "
-                       "to configure the OpenLDAP installation on your monitoring server to accept "
-                       "the certificates of the LDAP server. This is normally done via system wide "
-                       "configuration of the CA certificate which signed the certificate of the LDAP "
-                       "server. Please refer to the <a target=\"_blank\" "
-                       "href=\"https://mathias-kettner.com/checkmk_multisite_ldap_integration.html\">"
-                       "documentation</a> for details."),
+            help   = _("Connect to the LDAP server with a SSL encrypted connection. The "
+                       "<a href=\"wato.py?mode=edit_configvar&site=&varname=trusted_certificate_authorities\">trusted "
+                       "certificates authorities</a> configured in Check_MK will be used to validate the "
+                       "certificate provided by the LDAP server."),
             value  = True,
             totext = _("Encrypt the network connection using SSL."),
         )),
@@ -6705,6 +6702,7 @@ def mode_edit_ldap_connection(phase):
                 except Exception, e:
                     state = False
                     msg = _('Exception: %s') % html.render_text(e)
+                    log_exception()
 
                 if state:
                     img = html.render_icon("success", _('Success'))
diff --git a/web/plugins/userdb/ldap.py b/web/plugins/userdb/ldap.py
index cc68ed9..d0776dc 100644
--- a/web/plugins/userdb/ldap.py
+++ b/web/plugins/userdb/ldap.py
@@ -193,10 +193,20 @@ class LDAPUserConnector(UserConnector):
             if self.is_active_directory():
                 conn.set_option(ldap.OPT_REFERRALS, 0)
 
+            conn.set_option(ldap.OPT_X_TLS_CACERTFILE,
+                            "%s/var/ssl/ca-certificates.crt" % cmk.paths.omd_root)
+
             self.default_bind(conn)
             return conn, None
+
         except (ldap.SERVER_DOWN, ldap.TIMEOUT, ldap.LOCAL_ERROR, ldap.LDAPError), e:
-            return None, '%s: %s' % (uri, e[0].get('info', e[0].get('desc', '')))
+            if type(e[0]) == dict:
+                msg = e[0].get('info', e[0].get('desc', ''))
+            else:
+                msg = "%s" % e
+
+            return None, "%s: %s" % (uri, msg)
+
         except MKLDAPException, e:
             return None, "%s" % e
 
@@ -206,7 +216,13 @@ class LDAPUserConnector(UserConnector):
             uri = 'ldaps://'
         else:
             uri = 'ldap://'
-        return uri + '%s:%d' % (server, self._config.get('port', 389))
+
+        if "port" in self._config:
+            port_spec = ":%d" % self._config["port"]
+        else:
+            port_spec = ""
+
+        return uri + server + port_spec
 
 
     def connect(self, enforce_new = False, enforce_server = None):



More information about the checkmk-commits mailing list