Print a human readable error if tls certs are not provided

Print a human readable error if tls certs are not provided when using ldaps:// or use_tls and not providing CA certificates. Change-Id: I5d3613617278443673a265259351a2e1d5dc7f44
author: David Hill <dhill@redhat.com> 2022-03-15 12:21:05 -0400
committer: Pete Zaitcev <zaitcev@kotori.zaitcev.us> 2023-03-21 23:11:09 -0500
commit: f66a7d11b5ad6c6b9b155408863f5de82bb2d973 (patch)
tree: 5f4aafd9bc84c12d9797b3b3ba53234e5ccad6cf
parent: 433f541b970981d09c0917588b14eea293ea50dd (diff)
download: keystone-f66a7d11b5ad6c6b9b155408863f5de82bb2d973.tar.gz
1 files changed, 5 insertions, 0 deletions
diff --git a/keystone/identity/backends/ldap/common.py b/keystone/identity/backends/ldap/common.py
index 1033a4efd..e1399ec6a 100644
--- a/keystone/identity/backends/ldap/common.py
+++ b/keystone/identity/backends/ldap/common.py
@@ -603,6 +603,11 @@ def _common_ldap_initialization(url, use_tls=False, tls_cacertfile=None,
         if not ldap.TLS_AVAIL:
             raise ValueError(_('Invalid LDAP TLS_AVAIL option: %s. TLS '
                                'not available') % ldap.TLS_AVAIL)
+        if not tls_cacertfile and not tls_cacertdir:
+            raise ValueError(_('You need to set tls_cacertfile or '
+                               'tls_cacertdir if use_tls is true or '
+                               'url uses ldaps: scheme.'))
+
         if tls_cacertfile:
             # NOTE(topol)
             # python ldap TLS does not verify CACERTFILE or CACERTDIR
author	David Hill <dhill@redhat.com>	2022-03-15 12:21:05 -0400
committer	Pete Zaitcev <zaitcev@kotori.zaitcev.us>	2023-03-21 23:11:09 -0500
commit	f66a7d11b5ad6c6b9b155408863f5de82bb2d973 (patch)
tree	5f4aafd9bc84c12d9797b3b3ba53234e5ccad6cf
parent	433f541b970981d09c0917588b14eea293ea50dd (diff)
download	keystone-f66a7d11b5ad6c6b9b155408863f5de82bb2d973.tar.gz