Problem using ldaps with two different CA cert files
Rich Megginson
rich.megginson at gmail.com
Wed Sep 10 22:59:08 CEST 2008
The following code does not work in a couple of different places:
import sys
import ldap, ldap.ldapobject
ldap.set_option(ldap.OPT_DEBUG_LEVEL, 255)
ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, '/path/to/ca1.pem')
conn1 = ldap.ldapobject.LDAPObject('ldaps://server1.domain:636')
#conn1.set_option(ldap.OPT_DEBUG_LEVEL, 255)
# NOTE: 1 - setting conn specific cacertfile doesn't work - only the
# module level setting seems to work
#conn1.set_option(ldap.OPT_X_TLS_CACERTFILE, '/path/to/ca1.pem')
conn1.simple_bind('mybinddn','password')
print "conn1 set up correctly"
conn1.unbind_s()
# NOTE: 2 - although this appears to work i.e. get_option returns the new
# one, the code never attempts to open /path/to/ca2.pem - I've validated
this via strace
ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, '/path/to/ca2.pem')
print "cacert file =", ldap.get_option(ldap.OPT_X_TLS_CACERTFILE)
ldap.set_option(ldap.OPT_DEBUG_LEVEL, 0) # this works
conn2 = ldap.initialize('ldaps://server2.domain:636')
#conn2.set_option(ldap.OPT_DEBUG_LEVEL, 255)
# again, conn specific setting does not work
conn2.set_option(ldap.OPT_X_TLS_CACERTFILE, '/path/to/ca2.pem')
print "conn2 cacertfile=", conn2.get_option(ldap.OPT_X_TLS_CACERTFILE)
conn2.simple_bind("binddn2","password2") # errors here - cannot verify
peer server ssl cert
print "conn2 set up correctly"
Is it possible to use two different CA certs in a single python-ldap
app? I've tried using both version 2.2.0 on rhel5 and version 2.3.1 on
fedora 9
More information about the python-ldap
mailing list