Re: How to verify server certificate

Tue, 04 Aug 2009 09:21:52 -0700 

Michael Ströder schrieb:
> Fredrik Melander wrote:
>> Short question: when negotiating TLS with the LDAP server with
>> start_tls_s(), can I use python-ldap to follow the certificate chain and
>>   verify the server certificate? If so, how?
> 
> The OpenLDAP libs are doing that for you (with the help of an underlying lib
> like OpenSSL, GnuTLS or NSS). Same for CRL checking available in recent
> versions of OpenLDAP libs.
> 
> For the most common case with OpenLDAP C libs linked to OpenSSL libs see
> script Demo/initialize.py:
> 
> ldap.set_option(ldap.OPT_X_TLS_CACERTFILE,'/etc/httpd/ssl.crt/myCA-cacerts.pem')
> 
> Ciao, Michael.
> 


Hi, Michael
Thanks for the very fast reply!

I've been playing around with a certificate that should be broken
without having my script complain the least. I would have expected
python-ldap to throw an exception or similar but for the time being it
seems to be pretending that everything's alright.

Here's my connect-method in the class that's using ldap:


def get_connection(self, connection_string):
        "Connect to ldap and return the handle"
        
        conn = ldap.initialize(connection_string)
        conn.protocol_version = ldap.VERSION3
        conn.set_option(ldap.OPT_REFERRALS, 0)
        conn.set_option(ldap.OPT_X_TLS_CACERTFILE, 
"etc/openldap/ssl/cacert.pem")
        conn.set_option(ldap.OPT_X_TLS, ldap.OPT_X_TLS_DEMAND)

        conn.start_tls_s()
        conn.simple_bind_s(self.ldap_user, self.ldap_password)
        return conn

What is it that I'm misunderstanding here?

Best regards,
Fredrik

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with 
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Python-LDAP-dev mailing list
Python-LDAP-dev@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/python-ldap-dev

Reply via email to