fix a bug that causes LDAP TLS connection flags to not be set properly

co-authored-by: Jim Ladd <[email protected]>

awx/sso/backends.py

@@ -2,6 +2,7 @@
 # All Rights Reserved.
 
 # Python
+from collections import OrderedDict
 import logging
 import uuid
 
@@ -54,6 +55,19 @@ def __init__(self, prefix='AUTH_LDAP_', defaults={}):
             options[ldap.OPT_NETWORK_TIMEOUT] = 30
             self.CONNECTION_OPTIONS = options
 
+        # when specifying `.set_option()` calls for TLS in python-ldap, the
+        # *order* in which you invoke them *matters*, particularly in Python3,
+        # where dictionary insertion order is persisted
+        #
+        # specifically, it is *critical* that `ldap.OPT_X_TLS_NEWCTX` be set *last*
+        # this manual sorting puts `OPT_X_TLS_NEWCTX` *after* other TLS-related
+        # options (because their openldap keys are < `ldap.OPT_X_TLS_NEWCTX`
+        #
+        # see: https://github.com/python-ldap/python-ldap/issues/55
+        self.CONNECTION_OPTIONS = OrderedDict(
+            (k, v) for k, v in sorted(self.CONNECTION_OPTIONS.items())
+        )
+
 
 class LDAPBackend(BaseLDAPBackend):
     '''