deepak at arlut.utexas.edu
Tue May 24 22:56:14 CEST 2005
On Tue, 2005-05-24 at 14:21 +0200, Daniel LB wrote:
> Yes, I am doing this with AD.
> I tried what you said and the error message I got back was
> WILL_NOT_PERFORM (Server unwilling to perform), so I'm guessing it's
> because I don't use any encryption on my connection.
Perhaps. AD has the habit of throwing the WILL_NOT_PERFORM error in all
kinds of weird situations. :)
> But, since I'm only connecting to localhost, is encryption really necessary?
The short answer is "yes". :) The long answer is that this is a
restriction that AD imposes upon us:
"The password is stored in the Active Directory on a user object in the
unicodePwd attribute. This attribute can be written under restricted
conditions, but it cannot be read. The attribute can only be modified;
it cannot be added on object creation or queried by a search. In order
to modify this attribute, the client must have a 128-bit Secure Socket
Layer (SSL) connection to the server. For this connection to be
possible, the server must possess a server certificate for a 128-bit RSA
connection, the client must trust the certificate authority (CA) that
generated the server certificate, and both client and server must be
capable of 128-bit encryption."
This is from:
> Anyway.. could you give me an example of how you establish your
> encrypted connection?
What Bjørn says is largely correct, except that with AD you have to go
through some pain to get it to do LDAP/SSL. It's much more painful than
with OpenLDAP, unfortunately (my kingdom for a simple config file!).
Here's what you do:
1) Install an "Enterprise Certificate Authority" onto your AD server.
You can do this through the Control Panel -> "Add/Remove Windows
2) You'll need to create 2 new "Automatic Certificate Requests", one for
"Computer" and one for "Domain Controller". Do this via "Domain
Controller Security Policy" -> "Computer Configuration" -> "Windows
Settings" -> "Security Settings" -> "Public Key Policies" ->
(right-click on "Automatic Certificate Request Settings) -> (choose
"New") -> (choose "Automatic Certificate Request). Do this step twice,
once to make a "Computer" cert, and once for a "Domain Controller" cert.
3) At this point, you should be able to connect via SSL (I'm not sure if
the AD server requires a reboot or not...)
4) Here's how I establish an SSL connection in Python:
# Disable strict certificate checking, since you've made up your
# own certificate for SSL
# Disable OpenLDAP referral chasing, which can cause trouble with
# Create the connection
conn = ldap.initialize("ldaps://localhost")
I know it's a lot of work, but that's the only way I know of to get AD
to do LDAP/SSL. Here is a (pretty worthless) article from MSDN about it:
Hope this helps! :)
More information about the python-ldap