Dear Michael, Thank you for your answer. <br><br>Now, I'm working on making the zope python interpreter to be able to connect to the LDAP server (over SSL), using the example in Demo/initizalize.py.<br><br>However I got stuck in a different problem.<br>
<br>When trying to connect, I followed this sequence of commands (changing the /path/to/my/CAcert and <server>:<port> sequences):<br><br><pre><font size="4">import sys,ldap<br>ldap.set_option(ldap.OPT_DEBUG_LEVEL,255)<br>
ldapmodule_trace_level = 1<br>ldapmodule_trace_file = sys.stderr<br>ldap.set_option(ldap.OPT_X_TLS_CACERTFILE,'/path/to/my/CAcert')<br>l = ldap.initialize('ldaps://<server>:<port>',trace_level=ldapmodule_trace_level,trace_file=ldapmodule_trace_file)<br>
l.protocol_version=ldap.VERSION3<br>l.bind_s('','',ldap.AUTH_SIMPLE)</font><br></pre><br><br>Here, I got the following message:<br>ldap.SERVER_DOWN: {'info': 'TLS: unable to get CN from peer certificate', 'desc' : "Can't contact LDAP server"}<br>
<br>Point is, the LDAP server certificate doesn't have the "Subject" field; instead, it uses the "Subject Alternate Name" field in the V3 Extensions.<br><br>Can anyone help me?<br><br>Best regards,<br>
<br>Alberto<br><br><div class="gmail_quote">On Tue, Dec 9, 2008 at 9:54 AM, Michael Ströder <span dir="ltr"><<a href="mailto:michael@stroeder.com">michael@stroeder.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div class="Ih2E3d">Alberto Lopes wrote:<br>
><br>
> From what I understood from the LDAPUserFolder code, it delegates the<br>
> SSL negotiation to the python-ldap library.<br>
<br>
</div>And further down the delegation path:<br>
python-ldap -> OpenLDAP lib -> OpenSSL lib<br>
<div class="Ih2E3d"><br>
> How can I pass the<br>
> CAcertificate to the python-ldap layer in order to have it accepting the<br>
> server certificate?<br>
<br>
</div>See Demo/initialize.py in python-ldap's source distribution.<br>
<br>
ldap.set_option(ldap.OPT_X_TLS_CACERTFILE,'/etc/httpd/ssl.crt/myCA-cacerts.pem')<br>
<br>
or<br>
<br>
ldap.set_option(ldap.OPT_X_TLS_CACERTDIR,'/etc/httpd/ssl.crt')<br>
<br>
In older versions of the OpenLDAP libs you can only set these options<br>
globally. Not sure about <a href="http://2.4.8." target="_blank">2.4.8.</a><br>
<br>
I have no clue whether LDAPUserFolder makes it possible to set these<br>
options though.<br>
<br>
Ciao, Michael.<br>
</blockquote></div><br>