Fredrik Melander wrote: > Michael Ströder schrieb: >> Fredrik Melander wrote: >>> Short question: when negotiating TLS with the LDAP server with >>> start_tls_s(), can I use python-ldap to follow the certificate chain and >>> verify the server certificate? If so, how? >> The OpenLDAP libs are doing that for you (with the help of an underlying lib >> like OpenSSL, GnuTLS or NSS). Same for CRL checking available in recent >> versions of OpenLDAP libs. >> >> For the most common case with OpenLDAP C libs linked to OpenSSL libs see >> script Demo/initialize.py: >> >> ldap.set_option(ldap.OPT_X_TLS_CACERTFILE,'/etc/httpd/ssl.crt/myCA-cacerts.pem') > > Thanks for the very fast reply! > > I've been playing around with a certificate that should be broken > without having my script complain the least.
Why should it be broken? > I would have expected > python-ldap to throw an exception or similar but for the time being it > seems to be pretending that everything's alright. If the cert or hostname validation fails ldap.SERVER_DOWN is raised. > Here's my connect-method in the class that's using ldap: > > def get_connection(self, connection_string): > "Connect to ldap and return the handle" > > conn = ldap.initialize(connection_string) > conn.protocol_version = ldap.VERSION3 > conn.set_option(ldap.OPT_REFERRALS, 0) > conn.set_option(ldap.OPT_X_TLS_CACERTFILE, > "etc/openldap/ssl/cacert.pem") > conn.set_option(ldap.OPT_X_TLS, ldap.OPT_X_TLS_DEMAND) > > conn.start_tls_s() > conn.simple_bind_s(self.ldap_user, self.ldap_password) > return conn > > What is it that I'm misunderstanding here? Well, there's a reason why in Demo/initialize.py the TLS-related options are set globally. Only in recent versions of OpenLDAP you can set these options per connection. And libldap might also use TLS-related configuration in a .ldaprc or /etc/ldap.conf if available. Ciao, Michael. ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Python-LDAP-dev mailing list Python-LDAP-dev@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
