[python-ldap] Issue with sasl binds

Michael Ströder michael at stroeder.com
Tue Nov 14 03:54:28 EST 2017 

William Brown wrote:
> I can properly use ldapwhoami from the cli with TLS EXTERNAL:
> 
> LDAPTLS_KEY=/opt/dirsrv/etc/dirsrv/ssca/user-testuser_a.key
> LDAPTLS_CERT=/opt/dirsrv/etc/dirsrv/ssca/user-testuser_a.crt
> LDAPTLS_CACERT=/opt/dirsrv/etc/dirsrv/ssca/ca.crt ldapwhoami -Y
> EXTERNAL -H ldaps://localhost:63601/
> 
> SASL/EXTERNAL authentication started
> SASL username: cn=testuser_a,o=testing,l=389ds,st=Queensland,c=AU
> SASL SSF: 0
> dn: cn=testuser_a,O=testing,L=389ds,ST=Queensland,C=AU
> 
> However, the same with python-ldap does not work.
> 
> import ldap
> 
> tls_locs = {
> 'ca': '/opt/dirsrv/etc/dirsrv/ssca/ca.crt',
> 'crt': '/opt/dirsrv/etc/dirsrv/ssca/user-testuser_a.crt',
> 'key': '/opt/dirsrv/etc/dirsrv/ssca/user-testuser_a.key',
> }
> 
> ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, tls_locs['ca'])
> 
> conn = ldap.initialize('ldaps://localhost:63601')
> 
> conn.set_option(ldap.OPT_X_TLS_CACERTFILE, tls_locs['ca'])
> conn.set_option(ldap.OPT_X_TLS_CERTFILE, tls_locs['crt'])
> conn.set_option(ldap.OPT_X_TLS_KEYFILE, tls_locs['key'])
> 
> print(conn.get_option(ldap.OPT_X_TLS_CACERTFILE))
> print(conn.get_option(ldap.OPT_X_TLS_CERTFILE))
> print(conn.get_option(ldap.OPT_X_TLS_KEYFILE))
> 
> sasl_auth = ldap.sasl.external()
> conn.sasl_interactive_bind_s("", sasl_auth)
> 
> assert(conn.whoami_s().lower() == "dn: %s" % dn.lower())
> conn.unbind_s()
> [..]
> ldap.AUTH_UNKNOWN: {'desc': 'Unknown authentication method', 'info':
> 'SASL(-4): no mechanism available: '}

You typically get this error when TLS client cert was not used.

python-ldap is a wrapper above libldap and therefore inherits some of
its strange API characteristics. In this case it's the initialization of
the SSL context.

You have to use

conn.set_option(ldap.OPT_X_TLS_NEWCTX, 0)

*after* setting *all* connection-specific TLS options which AFAIK
triggers creating a new SSLContext in libldap.

The alternative is to set the options globally just like you did with
ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, …). But this does not work if
your application wants to have connections with different TLS parameters.

Ciao, Michael.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3829 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.python.org/pipermail/python-ldap/attachments/20171114/cda70372/attachment.bin>

More information about the python-ldap mailing list