jupyterhub · loic-vial · Oct 14, 2022 · Mar 13, 2023
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -3,8 +3,8 @@ repos:
   rev: v1.9.0
   hooks:
   - id: reorder-python-imports
-- repo: https://github.com/ambv/black
-  rev: 19.10b0
+- repo: https://github.com/psf/black
+  rev: 22.3.0
   hooks:
   - id: black
 - repo: https://github.com/pre-commit/pre-commit-hooks

diff --git a/ldapauthenticator/ldapauthenticator.py b/ldapauthenticator/ldapauthenticator.py
@@ -45,6 +45,14 @@ def _server_port_default(self):
         """,
     )
 
+    use_tls = Bool(
+        True,
+        config=True,
+        help="""
+        Use TLS to communicate with the LDAP server when SSL is not used.
+        """,
+    )
+
     bind_dn_template = Union(
         [List(), Unicode()],
         config=True,
@@ -309,7 +317,9 @@ def get_connection(self, userdn, password):
             self.server_address, port=self.server_port, use_ssl=self.use_ssl
         )
         auto_bind = (
-            ldap3.AUTO_BIND_NO_TLS if self.use_ssl else ldap3.AUTO_BIND_TLS_BEFORE_BIND
+            ldap3.AUTO_BIND_NO_TLS
+            if self.use_ssl or not self.use_tls
+            else ldap3.AUTO_BIND_TLS_BEFORE_BIND
         )
         conn = ldap3.Connection(
             server, user=userdn, password=password, auto_bind=auto_bind

diff --git a/ldapauthenticator/tests/test_ldapauthenticator.py b/ldapauthenticator/tests/test_ldapauthenticator.py
@@ -62,6 +62,16 @@ async def test_ldap_auth_ssl(authenticator):
     assert authorized["name"] == "fry"
 
 
+async def test_ldap_auth_tls(authenticator):
+    authenticator.use_tls = True
+
+    # proper username and password in allowed group
+    authorized = await authenticator.get_authenticated_user(
+        None, {"username": "fry", "password": "fry"}
+    )
+    assert authorized["name"] == "fry"
+
+
 async def test_ldap_auth_use_lookup_dn(authenticator):
     authenticator.use_lookup_dn_username = True