Allow authentication before LDAP searches (patch from Łukasz)

config

@@ -48,6 +48,11 @@ ldap_url = ldap://localhost:389/
 ldap_base = ou=users,dc=example,dc=com
 # LDAP login attribute
 ldap_attribute = uid
+# LDAP dn for initial login, used if LDAP server does not allow anonymous searches
+# Leave empty if searches are anonymous
+ldap_binddn =
+# LDAP password for initial login, used with ldap_binddn
+ldap_password =
 
 [storage]
 # Folder for storing local calendars, created if not present

radicale/acl/LDAP.py

@@ -33,6 +33,8 @@ BASE = config.get("acl", "ldap_base")
 ATTRIBUTE = config.get("acl", "ldap_attribute")
 CONNEXION = ldap.initialize(config.get("acl", "ldap_url"))
 PERSONAL = config.getboolean("acl", "personal")
+BINDDN = config.get("acl", "ldap_binddn")
+PASSWORD = config.get("acl", "ldap_password")
 
 
 def has_right(owner, user, password):
@@ -41,6 +43,10 @@ def has_right(owner, user, password):
         # User is not owner and personal calendars, or no user given, forbidden
         return False
 
+    if BINDDN and PASSWORD:
+        log.LOGGER.debug("Initial LDAP bind as %s" % BINDDN)
+        CONNEXION.simple_bind_s(BINDDN, PASSWORD)
+
     distinguished_name = "%s=%s" % (ATTRIBUTE, ldap.dn.escape_dn_chars(user))
     log.LOGGER.debug("LDAP bind for %s in base %s" % (distinguished_name, BASE))
 

radicale/config.py

@@ -54,7 +54,9 @@ INITIAL_CONFIG = {
         "httpasswd_encryption": "crypt",
         "ldap_url": "ldap://localhost:389/",
         "ldap_base": "ou=users,dc=example,dc=com",
-        "ldap_attribute": "uid"},
+        "ldap_attribute": "uid",
+        "ldap_binddn": "",
+        "ldap_password": ""},
     "storage": {
         "folder": os.path.expanduser("~/.config/radicale/calendars")},
     "logging": {