From 6297785546c438d60d5090e1be66fe28aac99fcb Mon Sep 17 00:00:00 2001
From: Markus Hauschild <markus@moepman.eu>
Date: Sat, 21 Jan 2017 18:24:14 +0100
Subject: [PATCH] Add support for custom CA certificates.

---
 config.cfg.example | 1 +
 index.py           | 5 +++++
 2 files changed, 6 insertions(+)

diff --git a/config.cfg.example b/config.cfg.example
index b31dc60..84581c1 100644
--- a/config.cfg.example
+++ b/config.cfg.example
@@ -2,6 +2,7 @@ DEBUG = True
 SECRET_KEY = "CHANGE!ME"
 SESSION_TIMEOUT = 3600
 
+LDAP_CA = "/etc/ldap/ssl/CA.crt"
 LDAP_URI = "ldaps://ldap.example.com"
 LDAP_BASE = "dc=example,dc=com"
 
diff --git a/index.py b/index.py
index 74d3e25..3bedbf4 100755
--- a/index.py
+++ b/index.py
@@ -18,6 +18,11 @@ app.jinja_env.lstrip_blocks = True
 
 rdb = Redis(host=app.config.get('REDIS_HOST', '127.0.0.1'), password=app.config.get('REDIS_PSWD'))
 
+ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_DEMAND)
+ldap.set_option(ldap.OPT_REFERRALS, 0)
+if 'LDAP_CA' in app.config.keys():
+	ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, app.config.get('LDAP_CA'))
+
 
 class ReadOnlyField(StringField):
 	def __call__(self, *args, **kwargs):