Support for STARTTLS and/or LDAPS

[fredreichbier]

The following LDAP communication channels may employ TLS:

• LDAP Proxy<->LDAP Backend: For that, we can use the LDAPClient.startTLS method, but we should check to which extent certificates are validated first.
• App<->LDAP Proxy: Here, we will probably use a generic solution provided by Twisted. We will need configuration options to configure certificates, though.

We also need to decide if we only want to support STARTTLS or LDAP over SSL (= LDAPS) as well. 9d818be completely disables TLS support for LDAP for now until we have figured out the questions above.

[cornelinux]

We also need to support LDAPS to communitcate to the backend. LDAP Proxy<->LDAP Backend. Sometimes AD only supports LDAPS not LDAP+STARTTLS. For that we need to support:

• LDAP
• LDAPS
• LDAP+STARTTLS

[fredreichbier]

Current state is:

• LDAP Proxy <-> LDAP Backend: LDAPS is supported (see Implement LDAPS connection to LDAP backend #23), STARTTLS is unsupported
• App<->LDAP Proxy: Both LDAPS nor STARTTLS are unsupported

[fredreichbier]

I added a note on how to use LDAPS for App<->LDAP Proxy in the 3/serve-ldaps branch. Apparently, this is possible with just Twisted's server endpoint syntax, but I haven't checked for anything but self-signed certificates yet.

[fredreichbier]

@cornelinux do you think we can merge #41? Then, we would have official LDAPS support for LDAP Proxy <-> LDAP backend and App <-> LDAP Proxy, so I would close this ticket and open a new one for STARTTLS.

[bjo81]

Is it possible to disable cert verification for ldaps?