SSL and AD

geert.van.muylem at utimaco.be geert.van.muylem at utimaco.be
Tue Oct 17 16:03:19 CEST 2006


Hi,

- rootca.pem contains the self-signed root certificate
(/C=BE/L=Hoogstraten/O=CATrust/OU=PKI/CN=CAS_SK)

- I'm not 100% sure if the AD allows client authentication (didn't find a 
place where 
to configure it....) but I made a small test app based on the platform sdk
and I had to import a client key first into windows...When I didn't do 
that, I also 
got the server down error. So I supposed that client authentication was 
required...

thanks and regards,
Geert

PS My test environment:
SuSE 10.1
python: 2.4.2-18
python-ldap: 2.0.11-14





Michael Ströder <michael at stroeder.com>
10/17/2006 03:21 PM
 
        To:     geert.van.muylem at utimaco.be
        cc:     python-ldap-dev at lists.sourceforge.net
        Subject:        Re: SSL and AD


geert.van.muylem at utimaco.be wrote:
>
> 
ldap.set_option(ldap.OPT_X_TLS_CACERTFILE,'/home/gvm/Temp/PYSSL/rootca.pem')

Does rootca.pem contain the cert of
/C=BE/L=Hoogstraten/O=CATrust/OU=PKI/CN=CAS_SK?
Or is there also an intermediate CA?

>     ldap.set_option(ldap.OPT_X_TLS_CERTFILE,
> '/home/gvm/Temp/PYSSL/endor-crt.pem')
>
> 
ldap.set_option(ldap.OPT_X_TLS_KEYFILE,'/home/gvm/Temp/PYSSL/endor-key.pem')

Are you sure AD is configured to allow SSL client authentication?

>     lconn=ldap.initialize("ldaps://eowyn.doom.be/")
>     lconn.simple_bind_s ('Administrator at doom.be','system')
>     lconn.unbind_s()

Seems ok. But I hope you know that using the UPN instead of a bind DB
with simple_bind_s() is proprietary feature of MS AD.

Ciao, Michael.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-ldap/attachments/20061017/fdd04fa2/attachment.html>


More information about the python-ldap mailing list