Expired server certificate

Fredrik Melander melander at dfn-cert.de
Mon Sep 14 17:58:41 CEST 2009

Hey Michael,
thanks for remembering! I will it out!


Michael Ströder schrieb:
> Fredrik,
> I've learned the hard way now that settings in .ldaprc and ldap.conf have
> precedence over what you set in your Python code via ldap.set_option() or
> LDAPObject.set_option(). Best thing is to use this code-line to completely
> switch off processing of .ldaprc and ldap.conf in libldap:
> os.environ['LDAPNOINIT']='1'
> Ciao, Michael.
> Fredrik Melander wrote:
>>> Hmm, there's nothing you can do at the python-ldap level. AFAIK cert
>>> validation is completely done within the OpenSSL libs, except the host name
>>> checking.
>>> Could you please test with OpenLDAP's command-line tool ldapsearch. This is
>>> important: Please use the tool which uses the very same libldap also used for
>>> python-ldap.
>>> If ldapsearch fails this would be something to raise on the openldap-software
>>> mailing list together with information about your build of libldap and the
>>> SSL/TLS libs used. Note that libldap could be build with GnuTLS or today even
>>> with Mozilla's libnss.
>>> Ciao, Michael.
>> Hi, Michael.
>> Thanks for your reply. I've been looking into this, trying stuff on
>> different machines and once again it's the frustrating issue of
>> different OpenLDAP versions.
>> You might not remember this but I posted a question to this list a
>> couple of mounths ago about the chase referrals flag which also turned
>> out to be treated differently depending on OpenLDAP version.
>> One of my machines here has (let's call it A) the RPM
>> openldap2-client-2.3.37-20.8 installed. While as another one (B) has
>> openldap2-client-2.4.9-7.4 (libldap-2.3.so.0 and  libldap-2.4.so.2
>> respectively).
>> Of course you're right that python-ldap has nothing to do with this,
>> since ldapsearch gives the same results:
>> Computer A:
>> ldapsearch -x -h "host.domain.de" -b "o=myorg,dc=net" -ZZ
>> ldap_start_tls: Connect error (-11)
>>         additional info: error:14090086:SSL
>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>> Computer B:
>> ldapsearch -x -h "host.domain.de" -b "o=myorg,dc=net" -ZZ
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <o=myorg,dc=net> with scope subtree
>> # filter: (objectclass=*)
>> # requesting: ALL
>> #
>> I'm posting this in case somebody runs into similar issues and also in
>> the hope that somebody has a suggestion on how to solve this. I might
>> also need to point out that it isn't about these two computers only.
>> That would be trivial. The application is going to be distributed in a
>> fairly big organization and I can't possibly demand that everybody has
>> the same OpenLDAP version.
>> The most frustrating thing is perhaps that it is the old version that
>> has the desired behaviour. I know this is a bit off topic, but surely
>> there must be a way to check this also in later versions? It'd be much
>> appreciated if anybody could point me in the right direction here.
>> Best regards,
>> Fredrik

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5927 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.python.org/pipermail/python-ldap/attachments/20090914/20e13961/attachment.bin>

More information about the python-ldap mailing list