Certificate checking on LDAP over SSL connection

Alberto Lopes plone at alopes.com
Tue Dec 9 19:29:20 CET 2008


Dear Michael, Thank you for your answer.

Now, I'm working on making the zope python interpreter to be able to connect
to the LDAP server (over SSL), using the example in Demo/initizalize.py.

However I got stuck in a different problem.

When trying to connect, I followed this sequence of commands (changing the
/path/to/my/CAcert and <server>:<port> sequences):

import sys,ldap
ldap.set_option(ldap.OPT_DEBUG_LEVEL,255)
ldapmodule_trace_level = 1
ldapmodule_trace_file = sys.stderr
ldap.set_option(ldap.OPT_X_TLS_CACERTFILE,'/path/to/my/CAcert')
l = ldap.initialize('ldaps://<server>:<port>',trace_level=ldapmodule_trace_level,trace_file=ldapmodule_trace_file)
l.protocol_version=ldap.VERSION3
l.bind_s('','',ldap.AUTH_SIMPLE)



Here, I got the following message:
ldap.SERVER_DOWN: {'info': 'TLS: unable to get CN from peer certificate',
'desc' : "Can't contact LDAP server"}

Point is, the LDAP server certificate doesn't have the "Subject" field;
instead, it uses the "Subject Alternate Name" field in the V3 Extensions.

Can anyone help me?

Best regards,

Alberto

On Tue, Dec 9, 2008 at 9:54 AM, Michael Ströder <michael at stroeder.com>wrote:

> Alberto Lopes wrote:
> >
> > From what I understood from the LDAPUserFolder code, it delegates the
> > SSL negotiation to the python-ldap library.
>
> And further down the delegation path:
> python-ldap -> OpenLDAP lib -> OpenSSL lib
>
> > How can I pass the
> > CAcertificate to the python-ldap layer in order to have it accepting the
> > server certificate?
>
> See Demo/initialize.py in python-ldap's source distribution.
>
>
> ldap.set_option(ldap.OPT_X_TLS_CACERTFILE,'/etc/httpd/ssl.crt/myCA-cacerts.pem')
>
> or
>
> ldap.set_option(ldap.OPT_X_TLS_CACERTDIR,'/etc/httpd/ssl.crt')
>
> In older versions of the OpenLDAP libs you can only set these options
> globally. Not sure about 2.4.8.
>
> I have no clue whether LDAPUserFolder makes it possible to set these
> options though.
>
> Ciao, Michael.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-ldap/attachments/20081209/921ad29e/attachment.html>


More information about the python-ldap mailing list