[python-ldap] Python LDAP TLS error when ldap.OPT_X_TLS_REQUIRE_CERT set to ldap.OPT_X_TLS_NEVER
Daniel Watrous
dwmaillist at gmail.com
Thu Jun 30 16:10:17 EDT 2016
Michael,
Since you're avoiding stackoverflow, you didn't see that I already did
exactly what you suggest, but it's not working, hence my question. I
figured I must be missing something.
Copying over from stackoverflow for this list
When using python-ldap I am setting ldap.OPT_X_TLS_REQUIRE_CERT set to
ldap.OPT_X_TLS_NEVER, but I still get a TLS error. I've tried
ldap.set_option and the version you see below. Both produce the same error.
class adldap_connection:
def __init__(self, configuration, secure):
self.configuration = configuration
self.secure = secure
self.ldap_host_template = string.Template(self.configuration['host'])
if self.secure:
self.ldap_host =
self.ldap_host_template.substitute(port=self.configuration['secure_port'])
else:
self.ldap_host =
self.ldap_host_template.substitute(port=self.configuration['standard_port'])
def __enter__(self):
try:
self.ld = ldap.initialize(self.ldap_host)
if self.configuration['verify_ssl']['verify']:
self.ld.set_option(ldap.OPT_X_TLS_CACERTFILE,
self.configuration['verify_ssl']['use'])
print "ldap.OPT_X_TLS_CACERTFILE = %d" %
ldap.OPT_X_TLS_CACERTFILE
else:
self.ld.set_option(ldap.OPT_X_TLS_REQUIRE_CERT,
ldap.OPT_X_TLS_NEVER)
print "ldap.OPT_X_TLS_REQUIRE_CERT = %d" %
ldap.OPT_X_TLS_REQUIRE_CERT
print "ldap.OPT_X_TLS_NEVER = %d" % ldap.OPT_X_TLS_NEVER
#ldap.set_option(ldap.OPT_X_TLS_NEWCTX, 0)
self.ld.simple_bind_s(self.configuration['binduser'],
self.configuration['bindpassword'])
except ldap.LDAPError, error_message:
print "Couldn't Connect. %s " % error_message
print "Using CA: %s" % self.configuration['verify_ssl']['use']
if (self.configuration['verify_ssl']['use']):
print "File exists: %s" %
os.path.exists(self.configuration['verify_ssl']['use'])
return self.ld
def __exit__(self, exc_type, exc_value, traceback):
self.ld.unbind_s()
I get this exception
ldap.OPT_X_TLS_REQUIRE_CERT = 24582
ldap.OPT_X_TLS_NEVER = 0Couldn't Connect. {'info': "TLS error
-8179:Peer's Certificate issuer is not recognized.", 'desc': "Can't
contact LDAP server"}
On Thu, Jun 30, 2016 at 2:04 PM, Michael Ströder <michael at stroeder.com>
wrote:
> Daniel Watrous wrote:
> > I'm getting a TLS error even after setting ldap.OPT_X_TLS_REQUIRE_CERT
> set
> > to ldap.OPT_X_TLS_NEVER
>
> You should always verify the server's cert. Otherwise the connection can be
> hijacked with an active MITM attack.
>
> TLS options are set via LDAPObject.set_option() or globally via
> ldap..set_option().
>
> https://www.python-ldap.org/doc/html/ldap.html#ldap.LDAPObject.set_option
>
> https://www.python-ldap.org/doc/html/ldap.html#ldap.set_option
>
> See Demo/initialize.py in the source tar.gz.
>
> > How can I tell python-ldap to not check certificates? I've posted this
> > question to stackoverflow too.
>
> I'm deliberately ignoring stackoverflow...
>
> Ciao, Michael.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-ldap/attachments/20160630/537b3363/attachment-0001.html>
More information about the python-ldap
mailing list