Fixed an issue where pgadmin cannot connect to LDAP when STARTTLS is required before bind. Fixes #6991

2025-02-25 18:55:31 -06:00 · 2022-02-16 18:01:39 +05:30 · 2022-02-16 18:01:39 +05:30 · aca97d9f57
commit aca97d9f57
parent b539637426
2 changed files with 12 additions and 13 deletions
--- a/docs/en_US/release_notes_6_6.rst
+++ b/docs/en_US/release_notes_6_6.rst
@ -20,6 +20,7 @@ Housekeeping
 Bug fixes
 *********

+| `Issue #6991 <https://redmine.postgresql.org/issues/6991>`_ -  Fixed an issue where pgadmin cannot connect to LDAP when STARTTLS is required before bind.
 | `Issue #6999 <https://redmine.postgresql.org/issues/6999>`_ -  Fixed an issue where a warning is flashed every time for an email address when authentication sources are internal and ldap.
 | `Issue #7124 <https://redmine.postgresql.org/issues/7124>`_ -  Fixed the schema diff issue where tables have different column positions and a column has a default value.
 | `Issue #7152 <https://redmine.postgresql.org/issues/7152>`_ -  Added comments column for the functions collection node.
--- a/web/pgadmin/authenticate/ldap.py
+++ b/web/pgadmin/authenticate/ldap.py
@ -12,7 +12,7 @@
 import ssl
 import config
 from ldap3 import Connection, Server, Tls, ALL, ALL_ATTRIBUTES, ANONYMOUS,\
-    SIMPLE
+    SIMPLE, AUTO_BIND_TLS_BEFORE_BIND, AUTO_BIND_NO_TLS
 from ldap3.core.exceptions import LDAPSocketOpenError, LDAPBindError,\
    LDAPInvalidScopeError, LDAPAttributeError, LDAPInvalidFilterError,\
    LDAPStartTLSError, LDAPSSLConfigurationError
@ -108,18 +108,21 @@ class LDAPAuthentication(BaseAuthentication):
        if not status:
            return status, server

+        auto_bind = AUTO_BIND_TLS_BEFORE_BIND if self.start_tls \
+            else AUTO_BIND_NO_TLS
+
        # Create the connection
        try:
            if self.anonymous_bind:
                self.conn = Connection(server,
-                                       auto_bind=True,
+                                       auto_bind=auto_bind,
                                       authentication=ANONYMOUS
                                       )
            else:
                self.conn = Connection(server,
                                       user=self.bind_user,
                                       password=self.bind_pass,
-                                       auto_bind=True,
+                                       auto_bind=auto_bind,
                                       authentication=SIMPLE
                                       )

@ -131,21 +134,16 @@ class LDAPAuthentication(BaseAuthentication):
            current_app.logger.exception(
                "Error binding to the LDAP server.")
            return False, gettext("Error binding to the LDAP server.")
+        except LDAPStartTLSError as e:
+            current_app.logger.exception(
+                "Error starting TLS: {}\n".format(e))
+            return False, gettext("Error starting TLS: {}\n"
+                                  ).format(e.args[0])
        except Exception as e:
            current_app.logger.exception(
                ERROR_CONNECTING_LDAP_SERVER.format(e))
            return False, ERROR_CONNECTING_LDAP_SERVER.format(e.args[0])

-        # Enable TLS if STARTTLS is configured
-        if self.start_tls:
-            try:
-                self.conn.start_tls()
-            except LDAPStartTLSError as e:
-                current_app.logger.exception(
-                    "Error starting TLS: {}\n".format(e))
-                return False, gettext("Error starting TLS: {}\n"
-                                      ).format(e.args[0])
-
        return True, None

    def __auto_create_user(self, user_email):