fixup! [AIRFLOW-3164] Verify server certificate when connecting to LDAP

apache · Nov 8, 2018 · d8d0e8c · d8d0e8c
1 parent 28abf87
commit d8d0e8c
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 4 deletions.
diff --git a/UPDATING.md b/UPDATING.md
@@ -87,6 +87,17 @@ configuration, so creating EMR clusters might fail until your connection is upda
 Ec2SubnetId, TerminationProtection and KeepJobFlowAliveWhenNoSteps were all top-level keys when they
 should be inside the "Instances" dict)
 
+### LDAP Auth Backend now requires TLS
+
+Connecting to an LDAP serever over plain text is not supported anymore. The
+certificate presented by the LDAP server must be signed by a trusted
+certificiate, or you must provide the `cacert` option under `[ldap]` in the
+config file.
+
+If you want to use LDAP auth backend without TLS then you will habe to create a
+custom-auth backend based on
+https://github.com/apache/incubator-airflow/blob/1.10.0/airflow/contrib/auth/backends/ldap_auth.py
+
 ## Airflow 1.10
 
 Installation and upgrading requires setting `SLUGIFY_USES_TEXT_UNIDECODE=yes` in your environment or

diff --git a/airflow/contrib/auth/backends/ldap_auth.py b/airflow/contrib/auth/backends/ldap_auth.py
@@ -55,14 +55,12 @@ class LdapException(Exception):
 
 
 def get_ldap_connection(dn=None, password=None):
-    cacert = None
     try:
         cacert = configuration.conf.get("ldap", "cacert")
     except AirflowConfigException:
         pass
 
     tls_configuration = Tls(validate=ssl.CERT_REQUIRED,
-                            version=ssl.PROTOCOL_SSLv23,
                             ca_certs_file=cacert)
 
     server = Server(configuration.conf.get("ldap", "uri"),

diff --git a/docs/security.rst b/docs/security.rst
@@ -66,8 +66,7 @@ LDAP
 ''''
 
 To turn on LDAP authentication configure your ``airflow.cfg`` as follows. Please note that the example uses
-an encrypted connection to the ldap server as you probably do not want passwords be readable on the network level.
-We do not support insecure connections anymore.
+an encrypted connection to the ldap server as we do not want passwords be readable on the network level.
 
 Additionally, if you are using Active Directory, and are not explicitly specifying an OU that your users are in,
 you will need to change ``search_scope`` to "SUBTREE".