Re: Certificate checking on LDAP over SSL connection

Tue, 09 Dec 2008 10:33:04 -0800 

Dear Michael, Thank you for your answer.

Now, I'm working on making the zope python interpreter to be able to connect
to the LDAP server (over SSL), using the example in Demo/initizalize.py.

However I got stuck in a different problem.

When trying to connect, I followed this sequence of commands (changing the
/path/to/my/CAcert and <server>:<port> sequences):

import sys,ldap
ldap.set_option(ldap.OPT_DEBUG_LEVEL,255)
ldapmodule_trace_level = 1
ldapmodule_trace_file = sys.stderr
ldap.set_option(ldap.OPT_X_TLS_CACERTFILE,'/path/to/my/CAcert')
l = 
ldap.initialize('ldaps://<server>:<port>',trace_level=ldapmodule_trace_level,trace_file=ldapmodule_trace_file)
l.protocol_version=ldap.VERSION3
l.bind_s('','',ldap.AUTH_SIMPLE)



Here, I got the following message:
ldap.SERVER_DOWN: {'info': 'TLS: unable to get CN from peer certificate',
'desc' : "Can't contact LDAP server"}

Point is, the LDAP server certificate doesn't have the "Subject" field;
instead, it uses the "Subject Alternate Name" field in the V3 Extensions.

Can anyone help me?

Best regards,

Alberto

On Tue, Dec 9, 2008 at 9:54 AM, Michael Ströder <[EMAIL PROTECTED]>wrote:

> Alberto Lopes wrote:
> >
> > From what I understood from the LDAPUserFolder code, it delegates the
> > SSL negotiation to the python-ldap library.
>
> And further down the delegation path:
> python-ldap -> OpenLDAP lib -> OpenSSL lib
>
> > How can I pass the
> > CAcertificate to the python-ldap layer in order to have it accepting the
> > server certificate?
>
> See Demo/initialize.py in python-ldap's source distribution.
>
>
> ldap.set_option(ldap.OPT_X_TLS_CACERTFILE,'/etc/httpd/ssl.crt/myCA-cacerts.pem')
>
> or
>
> ldap.set_option(ldap.OPT_X_TLS_CACERTDIR,'/etc/httpd/ssl.crt')
>
> In older versions of the OpenLDAP libs you can only set these options
> globally. Not sure about 2.4.8.
>
> I have no clue whether LDAPUserFolder makes it possible to set these
> options though.
>
> Ciao, Michael.
>

------------------------------------------------------------------------------
SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada.
The future of the web can't happen without you.  Join us at MIX09 to help
pave the way to the Next Web now. Learn more and register at
http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/
_______________________________________________
Python-LDAP-dev mailing list
Python-LDAP-dev@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/python-ldap-dev

Reply via email to