From 4dab5c43f1982a9297ee66681db241a299f06169 Mon Sep 17 00:00:00 2001
From: g0dsCookie <g0dscookie@cookieprojects.de>
Date: Mon, 18 Feb 2019 09:55:57 +0100
Subject: [PATCH] Correctly parse LDAP_SSL and LDAP_SSL_VALIDATE Fixes issue #1

---
 ldapauthd.py | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/ldapauthd.py b/ldapauthd.py
index 35b4813..5c2ab9e 100755
--- a/ldapauthd.py
+++ b/ldapauthd.py
@@ -70,6 +70,10 @@ def drop_privileges():
     log.info("Now running as %s/%s", username, grp.getgrgid(new_user[3])[0])
 
 
+def is_true(val):
+    return val == "True"
+
+
 def read_env():
     global config
     config = {
@@ -83,8 +87,8 @@ def read_env():
         "ldap": {
             "host": os.getenv("LDAP_HOST"),
             "port": int(os.getenv("LDAP_PORT", 636)),
-            "ssl": bool(os.getenv("LDAP_SSL", True)),
-            "ssl_validate": bool(os.getenv("LDAP_SSL_VALIDATE", True)),
+            "ssl": is_true(os.getenv("LDAP_SSL", True)),
+            "ssl_validate": is_true(os.getenv("LDAP_SSL_VALIDATE", True)),
             "basedn": os.getenv("LDAP_BASEDN"),
             "binddn": os.getenv("LDAP_BINDDN"),
             "bindpw": os.getenv("LDAP_BINDPW"),
@@ -101,6 +105,10 @@ def read_env():
             log.error("%s not defined.", item)
             sys.exit(2)
 
+    if not config["ldap"]["ssl_validate"]:
+        ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
+        log.warning("SSL validation has been disabled")
+
     config["ldap"]["uri"] = "%(proto)s://%(host)s:%(port)d" % {"proto": "ldaps" if config["ldap"]["ssl"] else "ldap",
                                                                "host": config["ldap"]["host"],
                                                                "port": config["ldap"]["port"]}
@@ -109,8 +117,6 @@ def read_env():
 def check_auth(user, passwd, allowusers, allowgroups):
     try:
         ldap_con = ldap.initialize(config["ldap"]["uri"])
-        if not config["ldap"]["ssl_validate"]:
-            ldap_con.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
         ldap_con.set_option(ldap.OPT_REFERRALS, 0)
         ldap_con.set_option(ldap.OPT_NETWORK_TIMEOUT, 3)
         ldap_con.simple_bind_s(config["ldap"]["binddn"], config["ldap"]["bindpw"])