TLS context

Jacek Konieczny jajcus at bnet.pl
Sun Nov 11 11:44:46 CET 2001


On Sun, Nov 11, 2001 at 08:26:57PM +1000, David Leonard wrote:
> Can you give an example of what a python program might look like
> using these?

The only thing I implemented and tested now is the ldap.initialize().
This works like that (this will start LDAP over SSL connection):

import ldap
l=ldap.initialize("ldaps://some.ldap.server")
l.bind("","")
...

I am currently testing those options (OpenLDAP API is not documented
very well).

I think it would work like this (using StartTLS):

import ldap
l=ldap.initialize("ldap://some.ldap.server")
l.tls_cacert_file="cacert.pem"
l.tls_cert_file="mycert.pem"
l.tls_key_file="mykey.pem"
l.tls_require_cert=1
l.start_tls_s()
l.bind("mydn","mypasswd")

Using LDAP over SSL it whould be:
import ldap
l=ldap.initialize("ldaps://some.ldap.server")
l.tls_cacert_file="cacert.pem"
l.tls_cert_file="mycert.pem"
l.tls_key_file="mykey.pem"
l.tls_require_cert=1
l.bind("mydn","mypasswd")

You can use ldap.init() instead of ldap.initialize(). ldap.open() 
should not be used as it is depreciated, and it won't work for LDAP over
SSL (as connection would be open before tls options are set).

It seems some of OpenLDAP options (eg. LDAP_OPT_DEBUG_LEVEL) are global
flags, not specific to any LDAPObject. So we need some interface to set
those for whole ldap module. I don't know how to implement this.
Should it be some function like ldap.set_option(), or a global variable
set like attribute of LDAPObject. Is ther C interface for such thing?
I have not yet checked if TLS options all global or connection-specific.

Greets,
        Jacek




More information about the python-ldap mailing list