sources/ldap: clean-up certs written from db

[ChandonPierre]

Details

Cert based ldap auth introduced in #5850 does not clean-up the temporary certificate files written out from the DB - when running in Kubernetes this eventually fills up /dev/shm and causes the worker to crashloop.

This PR ensures the files are cleaned up in a finally block.

---

Checklist

• Local tests pass (ak test authentik/)
• The code has been formatted (make lint-fix)

If an API change has been made

• The API schema has been updated (make gen-build)

If changes to the frontend have been made

• The code has been formatted (make web)
• The translation files have been updated (make i18n-extract)

If applicable

• The documentation has been updated
• The documentation has been formatted (make website)

[netlify]

✅ Deploy Preview for authentik-storybook canceled.

Name	Link
🔨 Latest commit	d92dd27
🔍 Latest deploy log	https://app.netlify.com/sites/authentik-storybook/deploys/655915bd22cf9f00094179f6

[codecov]

Codecov Report

Attention: 1 lines in your changes are missing coverage. Please review.

Comparison is base (6e5eb67) 92.60% compared to head (d92dd27) 91.17%.

Files	Patch %	Lines
authentik/sources/ldap/models.py	75.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #7617      +/-   ##
==========================================
- Coverage   92.60%   91.17%   -1.44%     
==========================================
  Files         587      587              
  Lines       29071    29075       +4     
==========================================
- Hits        26922    26509     -413     
- Misses       2149     2566     +417     

Flag	Coverage Δ
e2e	50.82% <75.00%> (-0.08%)	⬇️
integration	?
unit	89.66% <50.00%> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[BeryJu]

Actually I'm not sure if this works as intended, as this would clean up the certificate files while the server connection is still open; I'm not sure if there's any logic in ldap3 that will try to re-connect with the same server where this would cause issues; ideally we'd create the files upon connect and remove them upon disconnect, although that might require a custom ldap3 Server class

[ChandonPierre]

Actually I'm not sure if this works as intended, as this would clean up the certificate files while the server connection is still open; I'm not sure if there's any logic in ldap3 that will try to re-connect with the same server where this would cause issues; ideally we'd create the files upon connect and remove them upon disconnect, although that might require a custom ldap3 Server class

I'm running this in my enviornment - sync works and the temp dir is cleaned up after ak ldap_sync.

At a cursory glance the cert chain is validated upon socket open: https://github.com/cannatag/ldap3/blob/8077d25461bb00ee28232a777f3ecb716b4bb985/ldap3/core/tls.py#L188-L189

so if the socket remains open after bind() it should work as intended - if the wrapped connection socket needs to be re-established then it would likely be rejected