From 907a3b3e964e36ee34a1347172d9cd4788f76fd5 Mon Sep 17 00:00:00 2001 From: Guido Date: Tue, 1 Sep 2020 14:57:31 +0200 Subject: python.d/openldap: fix tls over ldap (#9853) --- collectors/python.d.plugin/openldap/openldap.chart.py | 17 ++++++++++++----- collectors/python.d.plugin/openldap/openldap.conf | 15 ++++++++------- 2 files changed, 20 insertions(+), 12 deletions(-) (limited to 'collectors') diff --git a/collectors/python.d.plugin/openldap/openldap.chart.py b/collectors/python.d.plugin/openldap/openldap.chart.py index 0ded784277..4ae2d747cd 100644 --- a/collectors/python.d.plugin/openldap/openldap.chart.py +++ b/collectors/python.d.plugin/openldap/openldap.chart.py @@ -17,6 +17,7 @@ DEFAULT_PORT = '389' DEFAULT_TLS = False DEFAULT_CERT_CHECK = True DEFAULT_TIMEOUT = 1 +DEFAULT_START_TLS = False ORDER = [ 'total_connections', @@ -143,6 +144,7 @@ class Service(SimpleService): self.timeout = configuration.get('timeout', DEFAULT_TIMEOUT) self.use_tls = configuration.get('use_tls', DEFAULT_TLS) self.cert_check = configuration.get('cert_check', DEFAULT_CERT_CHECK) + self.use_start_tls = configuration.get('use_start_tls', DEFAULT_START_TLS) self.alive = False self.conn = None @@ -159,8 +161,13 @@ class Service(SimpleService): else: self.conn = ldap.initialize('ldap://%s:%s' % (self.server, self.port)) self.conn.set_option(ldap.OPT_NETWORK_TIMEOUT, self.timeout) - if self.use_tls and not self.cert_check: + if (self.use_tls or self.use_start_tls) and not self.cert_check: self.conn.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER) + if self.use_start_tls or self.use_tls: + self.conn.set_option(ldap.OPT_X_TLS_NEWCTX, 0) + if self.use_start_tls: + self.conn.protocol_version = ldap.VERSION3 + self.conn.start_tls_s() if self.username and self.password: self.conn.simple_bind(self.username, self.password) except ldap.LDAPError as error: @@ -197,13 +204,13 @@ class Service(SimpleService): self.alive = False return None + if result_type != 101: + continue + try: - if result_type == 101: - val = int(list(result_data[0][1].values())[0][0]) + data[key] = int(list(result_data[0][1].values())[0][0]) except (ValueError, IndexError) as error: self.debug(error) continue - data[key] = val - return data diff --git a/collectors/python.d.plugin/openldap/openldap.conf b/collectors/python.d.plugin/openldap/openldap.conf index 73e8636ed9..5fd99a5257 100644 --- a/collectors/python.d.plugin/openldap/openldap.conf +++ b/collectors/python.d.plugin/openldap/openldap.conf @@ -65,10 +65,11 @@ update_every: 10 # Set here your LDAP connection settings -#username : "cn=admin,dc=example,dc=com" # The bind user with right to access monitor statistics -#password : "yourpass" # The password for the binded user -#server : 'localhost' # The listening address of the LDAP server. In case of TLS, use the hostname which the certificate is published for. -#port : 389 # The listening port of the LDAP server. Change to 636 port in case of TLS connection -#use_tls : False # Make True if a TLS connection is used -#cert_check : True # False if you want to ignore certificate check -#timeout : 1 # Seconds to timeout if no connection exi +#username : "cn=admin,dc=example,dc=com" # The bind user with right to access monitor statistics +#password : "yourpass" # The password for the binded user +#server : 'localhost' # The listening address of the LDAP server. In case of TLS, use the hostname which the certificate is published for. +#port : 389 # The listening port of the LDAP server. Change to 636 port in case of TLS connection +#use_tls : False # Make True if a TLS connection is used over ldaps:// +#use_start_tls: False # Make True if a TLS connection is used over ldap:// +#cert_check : True # False if you want to ignore certificate check +#timeout : 1 # Seconds to timeout if no connection exi -- cgit v1.2.3