How to verify server certificate

[Michael Ströder]

Fredrik Melander wrote:
> Michael Ströder schrieb:
>> Fredrik Melander wrote:
>>> Short question: when negotiating TLS with the LDAP server with
>>> start_tls_s(), can I use python-ldap to follow the certificate chain and
>>>   verify the server certificate? If so, how?
>> The OpenLDAP libs are doing that for you (with the help of an underlying lib
>> like OpenSSL, GnuTLS or NSS). Same for CRL checking available in recent
>> versions of OpenLDAP libs.
>>
>> For the most common case with OpenLDAP C libs linked to OpenSSL libs see
>> script Demo/initialize.py:
>>
>> ldap.set_option(ldap.OPT_X_TLS_CACERTFILE,'/etc/httpd/ssl.crt/myCA-cacerts.pem')
> 
> Thanks for the very fast reply!
> 
> I've been playing around with a certificate that should be broken
> without having my script complain the least.

Why should it be broken?

> I would have expected
> python-ldap to throw an exception or similar but for the time being it
> seems to be pretending that everything's alright.

If the cert or hostname validation fails ldap.SERVER_DOWN is raised.

> Here's my connect-method in the class that's using ldap:
> 
> def get_connection(self, connection_string):
> 	"Connect to ldap and return the handle"
> 	
> 	conn = ldap.initialize(connection_string)
> 	conn.protocol_version = ldap.VERSION3
> 	conn.set_option(ldap.OPT_REFERRALS, 0)
> 	conn.set_option(ldap.OPT_X_TLS_CACERTFILE, "etc/openldap/ssl/cacert.pem")
> 	conn.set_option(ldap.OPT_X_TLS, ldap.OPT_X_TLS_DEMAND)
> 
> 	conn.start_tls_s()
> 	conn.simple_bind_s(self.ldap_user, self.ldap_password)
> 	return conn
> 
> What is it that I'm misunderstanding here?

Well, there's a reason why in Demo/initialize.py the TLS-related options are
set globally. Only in recent versions of OpenLDAP you can set these options
per connection.

And libldap might also use TLS-related configuration in a .ldaprc or
/etc/ldap.conf if available.

Ciao, Michael.