Certificate checking on LDAP over SSL connection

Michael Ströder michael at stroeder.com
Tue Dec 16 17:26:56 CET 2008

Alberto Lopes wrote:
> I dunno if this message was best sent directly to you or posted on the
> list; if so, please feel free to forward it.

Please post to python-ldap-dev at lists.sourceforge.net (Cc:-ed).

> Apparentely the "SSL server certificate with blank subject field"
> problem doesn't end in reissuing the certificate, with a filled subject
> field.

Hmm...without seeing the certs and/or error messages I can't tell.

> In the blog post
> http://blogs.technet.com/askds/archive/2008/09/16/third-party-application-fails-using-ldap-over-ssl.aspx,
> the author quotes the RFC 3280 (Internet X.509 PKI spec), in which it is
> stated that when the SAN field is marked as critical and is used to
> express the only identity to the subject, the subject field must be empty.

Frankly, there are lots of interop issues regarding PKIX. You don't want
to know all of them. So I wouldn't mark SAN extension critical and add
the hostname in the CN attribute of subject name.

> So, strictly speaking, a certificate with blank subject field can be
> conformant to the RFC. In that sense, I think that openssl is already
> conformant, since the "openssl -c" command doesn't give me an error
> message. But maybe openLDAP or python-ldap is not conformant, for giving
> me the error message I talked about in my first message.

Does it work with the OpenLDAP command-line tools? If openssl s_client
just works fine and the OpenLDAP command-line tool ldapsearch does not
it would be good to raise this on the openldap-software mailing list.

python-ldap itself does not do anything special. It just passes all
paramaters to the OpenLDAP lib.

Ciao, Michael.

More information about the python-ldap mailing list