From: Andreas B. <bue...@un...> - 2010-01-08 08:58:16
|
Hi, I've found a strange behaviour of python-ldap when working with TLS encrypted connections. I'm not sure if this is a problem of the python bindings or of libldap or in my head ;-) In my first scenario I was trying to set up a TLS encrypted connection with a specific CA certificate that was set in the ldap.conf file (TLS_CACERT). >>> import ldap >>> l = ldap.ldapobject.SmartLDAPObject(uri='LDAP://qamaster.windom2008.univention.test:389', who='uid=Administrator,cn=users,DC=windom2008,DC=univention,DC=test',cred='univention', start_tls=2, tls_cacertfile='/etc/univention/ssl/ucsCA/CAcert.pem') >>> l.started_tls 0 In that case the connection is not encrypted. When I replace LDAP:// with ldap:// in the URI the connection is encrypted. >>> l = ldap.ldapobject.SmartLDAPObject(uri='ldap://qamaster.windom2008.univention.test:389', who='uid=Administrator,cn=users,DC=windom2008,DC=univention,DC=test',cred='univention', start_tls=2, tls_cacertfile='/etc/univention/ssl/ucsCA/CAcert.pem') >>> l.started_tls 1 It look likes a TLS connection is not set up if the URI starts with LDAP:// In the second scenario I've tried to set up a TLS encrypted connection with a CA certificate that was not set in the ldap.conf file. >>> l = ldap.ldapobject.SmartLDAPObject(uri='ldap://win-64q6lq48z7a.windom2008.univention.test:389', who='cn=Administrator,cn=users,DC=windom2008,DC=univention,DC=test',cred='univention', start_tls=2, tls_cacertfile='/etc/univention/connector/ad/ad_cert_20091221_153053.pem') ... ldap.CONNECT_ERROR: {'info': 'error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed', 'desc': 'Connect error'} It seems that the argument tls_cacertfile is ignored, because if I set the CA certificate file with the set_option function the connection works and is encrypted. ldap.set_option( ldap.OPT_X_TLS_CACERTFILE, '/etc/univention/connector/ad/ad_cert_20091221_153053.pem' ) l = ldap.ldapobject.SmartLDAPObject(uri='ldap://win-64q6lq48z7a.windom2008.univention.test:389', who='cn=Administrator,cn=users,DC=windom2008,DC=univention,DC=test',cred='univention', start_tls=2 ) >>> l.started_tls 1 software versions: python 2.4.6 libldap 2.4.15 python-ldap 2.3.5 Is there any mistake in my reasoning or is this a known behaviour? best regards Andreas -- Andreas Büsching Open Source Software Engineer Univention GmbH Linux for your business Mary-Somerville-Str.1 28359 Bremen Tel. : +49 421 22232-0 Fax : +49 421 22232-99 <bue...@un...> http://www.univention.de Geschäftsführer: Peter H. Ganten HRB 20755 Amtsgericht Bremen Steuer-Nr.: 71-597-02876 |