Michael Ströder schrieb: > Fredrik Melander wrote: >> Short question: when negotiating TLS with the LDAP server with >> start_tls_s(), can I use python-ldap to follow the certificate chain and >> verify the server certificate? If so, how? > > The OpenLDAP libs are doing that for you (with the help of an underlying lib > like OpenSSL, GnuTLS or NSS). Same for CRL checking available in recent > versions of OpenLDAP libs. > > For the most common case with OpenLDAP C libs linked to OpenSSL libs see > script Demo/initialize.py: > > ldap.set_option(ldap.OPT_X_TLS_CACERTFILE,'/etc/httpd/ssl.crt/myCA-cacerts.pem') > > Ciao, Michael. >
Hi, Michael Thanks for the very fast reply! I've been playing around with a certificate that should be broken without having my script complain the least. I would have expected python-ldap to throw an exception or similar but for the time being it seems to be pretending that everything's alright. Here's my connect-method in the class that's using ldap: def get_connection(self, connection_string): "Connect to ldap and return the handle" conn = ldap.initialize(connection_string) conn.protocol_version = ldap.VERSION3 conn.set_option(ldap.OPT_REFERRALS, 0) conn.set_option(ldap.OPT_X_TLS_CACERTFILE, "etc/openldap/ssl/cacert.pem") conn.set_option(ldap.OPT_X_TLS, ldap.OPT_X_TLS_DEMAND) conn.start_tls_s() conn.simple_bind_s(self.ldap_user, self.ldap_password) return conn What is it that I'm misunderstanding here? Best regards, Fredrik
smime.p7s
Description: S/MIME Cryptographic Signature
------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________ Python-LDAP-dev mailing list Python-LDAP-dev@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/python-ldap-dev