From caf1f3eeb1abec4c2c195552af28577fc5dc42ad Mon Sep 17 00:00:00 2001
From: Ryan Petrello <rpetrell@redhat.com>
Date: Fri, 28 Jun 2019 17:11:50 -0400
Subject: [PATCH] fix a bug that causes LDAP TLS connection flags to not be set
 properly

co-authored-by: Jim Ladd <jladd@redhat.com>
---
 awx/sso/backends.py | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/awx/sso/backends.py b/awx/sso/backends.py
index 13e55cbd8377..f88f4a6e6724 100644
--- a/awx/sso/backends.py
+++ b/awx/sso/backends.py
@@ -2,6 +2,7 @@
 # All Rights Reserved.
 
 # Python
+from collections import OrderedDict
 import logging
 import uuid
 
@@ -54,6 +55,20 @@ def __init__(self, prefix='AUTH_LDAP_', defaults={}):
             options[ldap.OPT_NETWORK_TIMEOUT] = 30
             self.CONNECTION_OPTIONS = options
 
+        # when specifying `.set_option()` calls for TLS in python-ldap, the
+        # *order* in which you invoke them *matters*, particularly in Python3,
+        # where dictionary insertion order is persisted
+        #
+        # specifically, it is *critical* that `ldap.OPT_X_TLS_NEWCTX` be set *last*
+        # this manual sorting puts `OPT_X_TLS_NEWCTX` *after* other TLS-related
+        # options (because their openldap keys are < `ldap.OPT_X_TLS_NEWCTX`
+        #
+        # see: https://github.com/python-ldap/python-ldap/issues/55
+        newctx_option = self.CONNECTION_OPTIONS.pop(ldap.OPT_X_TLS_NEWCTX, None)
+        self.CONNECTION_OPTIONS = OrderedDict(self.CONNECTION_OPTIONS)
+        if newctx_option:
+            self.CONNECTION_OPTIONS[ldap.OPT_X_TLS_NEWCTX] = newctx_option
+
 
 class LDAPBackend(BaseLDAPBackend):
     '''