From 147d795fa051c6eb4d9e14003902ee673d9fc30b Mon Sep 17 00:00:00 2001
From: Ryan Petrello <rpetrell@redhat.com>
Date: Mon, 31 Jul 2017 13:53:46 -0400
Subject: [PATCH] force python-ldap to create a new SSL context for
 OPT_X_TLS_REQUIRE_CERT

according to the internet, this is a thing that is necessary for
python-ldap:

https://github.com/rbarrois/python-ldap/commit/71024518dbc9c539a5bab834080e3792ac4dbfe9#diff-1a5a32c6cc1ae9767cb2008703e4534fR41
https://stackoverflow.com/a/29722445
https://stackoverflow.com/a/38136255

see: https://github.com/ansible/ansible-tower/issues/7335
---
 awx/sso/backends.py | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/awx/sso/backends.py b/awx/sso/backends.py
index 104fdd2c99..3fe730231a 100644
--- a/awx/sso/backends.py
+++ b/awx/sso/backends.py
@@ -86,6 +86,13 @@ class LDAPBackend(BaseLDAPBackend):
     settings = property(_get_settings, _set_settings)
 
     def authenticate(self, username, password):
+        if self.settings.START_TLS and ldap.OPT_X_TLS_REQUIRE_CERT in self.settings.CONNECTION_OPTIONS:
+            # with python-ldap, if you want to set connection-specific TLS
+            # parameters, you must also specify OPT_X_TLS_NEWCTX = 0
+            # see: https://stackoverflow.com/a/29722445
+            # see: https://stackoverflow.com/a/38136255
+            self.settings.CONNECTION_OPTIONS[ldap.OPT_X_TLS_NEWCTX] = 0
+
         if not self.settings.SERVER_URI:
             return None
         if not feature_enabled('ldap'):