start_tls = 2 is ignored with LDAP URIs starting with LDAP://

Andreas Büsching buesching at univention.de
Fri Jan 8 09:39:40 CET 2010 

Hi,

I've found a strange behaviour of python-ldap when working with TLS encrypted 
connections. I'm not sure if this is a problem of the python bindings or of 
libldap or in my head ;-)

In my first scenario I was trying to set up a TLS encrypted connection with a 
specific CA certificate that was set in the ldap.conf file (TLS_CACERT).

>>> import ldap
>>> l = 
ldap.ldapobject.SmartLDAPObject(uri='LDAP://qamaster.windom2008.univention.test:389', 
who='uid=Administrator,cn=users,DC=windom2008,DC=univention,DC=test',cred='univention', 
start_tls=2, tls_cacertfile='/etc/univention/ssl/ucsCA/CAcert.pem')
>>> l.started_tls
0

In that case the connection is not encrypted. When I replace LDAP:// with 
ldap:// in the URI the connection is encrypted.

>>> l = 
ldap.ldapobject.SmartLDAPObject(uri='ldap://qamaster.windom2008.univention.test:389', 
who='uid=Administrator,cn=users,DC=windom2008,DC=univention,DC=test',cred='univention', 
start_tls=2, tls_cacertfile='/etc/univention/ssl/ucsCA/CAcert.pem')
>>> l.started_tls
1

It look likes a TLS connection is not set up if the URI starts with LDAP://

In the second scenario I've tried to set up a TLS encrypted connection with a 
CA certificate that was not set in the ldap.conf file.

>>> l = 
ldap.ldapobject.SmartLDAPObject(uri='ldap://win-64q6lq48z7a.windom2008.univention.test:389', 
who='cn=Administrator,cn=users,DC=windom2008,DC=univention,DC=test',cred='univention', 
start_tls=2, 
tls_cacertfile='/etc/univention/connector/ad/ad_cert_20091221_153053.pem')
...
ldap.CONNECT_ERROR: {'info': 'error:14090086:SSL 
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify 
failed', 'desc': 'Connect error'}

It seems that the argument tls_cacertfile is ignored, because if I set the CA 
certificate file with the set_option function the connection works and is 
encrypted.

ldap.set_option( 
ldap.OPT_X_TLS_CACERTFILE, '/etc/univention/connector/ad/ad_cert_20091221_153053.pem' )
l = 
ldap.ldapobject.SmartLDAPObject(uri='ldap://win-64q6lq48z7a.windom2008.univention.test:389', 
who='cn=Administrator,cn=users,DC=windom2008,DC=univention,DC=test',cred='univention', 
start_tls=2 )
>>> l.started_tls
1

software versions:

python 2.4.6
libldap 2.4.15
python-ldap 2.3.5

Is there any mistake in my reasoning or is this a known behaviour?

best regards
Andreas

-- 
Andreas Büsching
Open Source Software Engineer

Univention GmbH
Linux for your business
Mary-Somerville-Str.1
28359 Bremen
Tel. : +49 421 22232-0
Fax : +49 421 22232-99

<buesching at univention.de>
http://www.univention.de

Geschäftsführer: Peter H. Ganten
HRB 20755 Amtsgericht Bremen
Steuer-Nr.: 71-597-02876
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
URL: <http://mail.python.org/pipermail/python-ldap/attachments/20100108/eba55c97/attachment.pgp>

More information about the python-ldap mailing list