[python3-ldap] Trouble with STARTTLS

Mark E. Haase mehaase at gmail.com
Tue Apr 29 06:04:07 CEST 2014 

I really like python3-ldap. Much cleaner than building on top of OpenLDAP :)

I can get TLS working on port 636, but I can't figure out how to get Start
TLS on port 389. Here's what I have so far (Python 2.7):

01 import ldap3
02 import os
03 import ssl
04
05 host = "ldap.*************.net"
06 port = 389
07 username = "cn=admin,dc=*************,dc=net"
08 password = "*************"
09 base_path = os.path.dirname(os.path.realpath(__file__))
10
11 tls = ldap3.Tls(validate=ssl.CERT_REQUIRED,
ca_certs_file=os.path.join(base_path, "goodca"))
12 ldap_server = ldap3.Server(host, port=port, use_ssl=False, tls=tls)
13 ldap_handle = ldap3.Connection(ldap_server, user=username,
password=password)
14 ldap_handle.open()
15 ldap_handle.start_tls()
16 ldap_handle.bind()

I'm ~100% sure that "goodca" is not the problem, because I've validated it
with openssl s_client, gnutls-cli, ldapsearch, and python-ldap. It's PEM
encoded. When I run this example, I get this exception:

mhaase at luci:~/luci/bin$ python test.py
Traceback (most recent call last):
  File "test.py", line 15, in <module>
    ldap_handle.start_tls()
  File "/usr/local/lib/python2.7/dist-packages/ldap3/core/connection.py",
line 535, in start_tls
    if self.server.tls.start_tls(self):
  File "/usr/local/lib/python2.7/dist-packages/ldap3/core/tls.py", line
118, in start_tls
    return self._start_tls(connection)
  File "/usr/local/lib/python2.7/dist-packages/ldap3/core/tls.py", line
121, in _start_tls
    connection.socket = self.wrap_socket(connection, False)
  File "/usr/local/lib/python2.7/dist-packages/ldap3/core/tls.py", line 91,
in wrap_socket
    check_hostname(wrapped_socket, connection.server.host, self.valid_names)
  File "/usr/local/lib/python2.7/dist-packages/ldap3/core/tls.py", line
206, in check_hostname
    match_hostname_backport(server_certificate, host_name)
  File "/usr/local/lib/python2.7/dist-packages/ldap3/core/tls.py", line
168, in match_hostname_backport
    raise ValueError("empty or no certificate")
ValueError: empty or no certificate

Any ideas what I'm doing wrong? Any help would be greatly appreciated...
I've been struggling with openldap/python-ldap/python3-for 12 hours today!!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python3-ldap/attachments/20140429/57e059ed/attachment.html>

More information about the python3-ldap mailing list