[AIRFLOW-3164] Verify server certificate when connecting to LDAP (#4006)
Misconfiguration and improper checking of exceptions disabled
server certificate checking. We now only support TLS connections
and do not support insecure connections anymore.
diff --git a/UPDATING.md b/UPDATING.md
index 6fde229..0f108ff 100644
--- a/UPDATING.md
+++ b/UPDATING.md
@@ -83,6 +83,17 @@
Ec2SubnetId, TerminationProtection and KeepJobFlowAliveWhenNoSteps were all top-level keys when they
should be inside the "Instances" dict)
+### LDAP Auth Backend now requires TLS
+
+Connecting to an LDAP serever over plain text is not supported anymore. The
+certificate presented by the LDAP server must be signed by a trusted
+certificiate, or you must provide the `cacert` option under `[ldap]` in the
+config file.
+
+If you want to use LDAP auth backend without TLS then you will habe to create a
+custom-auth backend based on
+https://github.com/apache/incubator-airflow/blob/1.10.0/airflow/contrib/auth/backends/ldap_auth.py
+
## Airflow 1.10
Installation and upgrading requires setting `SLUGIFY_USES_TEXT_UNIDECODE=yes` in your environment or
diff --git a/airflow/contrib/auth/backends/ldap_auth.py b/airflow/contrib/auth/backends/ldap_auth.py
index cb46757..dc17dab 100644
--- a/airflow/contrib/auth/backends/ldap_auth.py
+++ b/airflow/contrib/auth/backends/ldap_auth.py
@@ -56,16 +56,18 @@
def get_ldap_connection(dn=None, password=None):
- tls_configuration = None
- use_ssl = False
try:
cacert = configuration.conf.get("ldap", "cacert")
- tls_configuration = Tls(validate=ssl.CERT_REQUIRED, ca_certs_file=cacert)
- use_ssl = True
- except Exception:
+ except AirflowConfigException:
pass
- server = Server(configuration.conf.get("ldap", "uri"), use_ssl, tls_configuration)
+ tls_configuration = Tls(validate=ssl.CERT_REQUIRED,
+ ca_certs_file=cacert)
+
+ server = Server(configuration.conf.get("ldap", "uri"),
+ use_ssl=True,
+ tls=tls_configuration)
+
conn = Connection(server, native(dn), native(password))
if not conn.bind():
diff --git a/docs/security.rst b/docs/security.rst
index b47a58f..1ecc958 100644
--- a/docs/security.rst
+++ b/docs/security.rst
@@ -61,8 +61,7 @@
''''
To turn on LDAP authentication configure your ``airflow.cfg`` as follows. Please note that the example uses
-an encrypted connection to the ldap server as you probably do not want passwords be readable on the network level.
-It is however possible to configure without encryption if you really want to.
+an encrypted connection to the ldap server as we do not want passwords be readable on the network level.
Additionally, if you are using Active Directory, and are not explicitly specifying an OU that your users are in,
you will need to change ``search_scope`` to "SUBTREE".
diff --git a/setup.py b/setup.py
index c187b9b..49de5e6 100644
--- a/setup.py
+++ b/setup.py
@@ -188,7 +188,7 @@
'snakebite[kerberos]>=2.7.8']
kubernetes = ['kubernetes>=3.0.0',
'cryptography>=2.0.0']
-ldap = ['ldap3>=0.9.9.1']
+ldap = ['ldap3>=2.5.1']
mssql = ['pymssql>=2.1.1']
mysql = ['mysqlclient>=1.3.6']
oracle = ['cx_Oracle>=5.1.2']
