Background: Currently, when connecting to a ldap backend, ssl.PROTOCOL_TLSv1 [2] is offered as only option to the backend.
This leads to following issues:
- LDAP Backends that do not support TLSv1.0 (because of security reasons [3]) cannot be used in ERPNext
- erpnext can ONLY connect to LDAP Backends offering the insecure [3] TLSv1.0 protocol (see ldap_settings.py ln: 61, 63)
With this change to ssl.PROTOCOL_TLS_CLIENT we allow erpnext customers to configure LDAP Backends that also support more modern/secure (TLSv1.2 and up) transport
while still ensure backwards compatibility and allowing TLSv1.0,
since ssl.PROTOCOL_TLS "Auto-negotiates the highest protocol version that both the client and server support" [1]
[1]: https://docs.python.org/3/library/ssl.html#ssl.PROTOCOL_TLS_CLIENT
[2]: https://docs.python.org/3/library/ssl.html#ssl.PROTOCOL_TLSv1
[3]: https://tools.ietf.org/id/draft-ietf-tls-oldversions-deprecate-02.html
The license.txt file has been replaced with LICENSE for quite a while
now. INAL but it didn't seem accurate to say "hey, checkout license.txt
although there's no such file". Apart from this, there were
inconsistencies in the headers altogether...this change brings
consistency.
If the user selects 'Custom' LDAP Directory, when they hit save, validate the additional required fields ('ldap_group_objectclass' and 'ldap_group_member_attribute') for this selection to function.
Issue #13738
Created unit tests for integration LDAP. These tests are designed to confirm that LDAP will continue to work after changes are made to frappe.
PR-#13777
Function requires attributes to be of type x, validate to ensure any changes will break function and to prevent further exceptions. Only output to console as it's only a developer who will generate this error.
PR-#13777
As the user provides some of the ldap attributes, validate those entries when the 'LDAP Settings' editor clicks save. Provide an error message if validation fails stating what is incorrect.
issue #13738 PR-#13777
ldap search string is user input. validate to ensure is enclosed in '()', has the '{0}' placeholder and has the same number of brackets as used in complex ldap search strings.
issue #13738
to confirm user credentials, use 'rebind' instead of re-connecting to ldap. This also enables unit testing of all functions except the connection to ldap.
issue #13738
Validate the LDAP search filter including enclosing in '()'. Note: if a user has a complex filter that misses the last ')' it will not be added. i.e. (&(objectclass=posixgroup)(uid={0}) is invalid but will pass validation.
issue #13738
User needs to be able to conduct complex filtering. As long as the placeholder '{0}' for the username is included in the ldap search filter, the user can customize as required. searches must be enclosed in '()' i.e '(uid={0}) or '(&(objecttype=posixaccount)(uid={0}))' etc.
issue #13738closefrappe/frappe#6037
All LDAP operations should be done by ldap base dn user. This allows an administrator to lock down their directory to the user the LDAP operations are being conducted by.
issue #13738
New method to search for user group membership. Replaces old logic of using an ldap users attribute memberof which is not supported by all LDAP implementations
issue #13738
