Re: start_tls = 2 is ignored with LDAP URIs starting with LDAP://

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi,

Has anyone an idea?

thanx in advance
Andreas

Am Freitag 08 Januar 2010 09:39:40 schrieb Andreas Büsching:
> I've found a strange behaviour of python-ldap when working with TLS
> encrypted connections. I'm not sure if this is a problem of the python
> bindings or of libldap or in my head ;-)
>
> In my first scenario I was trying to set up a TLS encrypted connection with
> a specific CA certificate that was set in the ldap.conf file (TLS_CACERT).
>
> >>> import ldap
> >>> l =
>
> ldap.ldapobject.SmartLDAPObject(uri='LDAP://qamaster.windom2008.univention.
>test:389',
> who='uid=Administrator,cn=users,DC=windom2008,DC=univention,DC=test',cred='
>univention', start_tls=2,
> tls_cacertfile='/etc/univention/ssl/ucsCA/CAcert.pem')
>
> >>> l.started_tls
>
> 0
>
> In that case the connection is not encrypted. When I replace LDAP:// with
> ldap:// in the URI the connection is encrypted.
>
> >>> l =
>
> ldap.ldapobject.SmartLDAPObject(uri='ldap://qamaster.windom2008.univention.
>test:389',
> who='uid=Administrator,cn=users,DC=windom2008,DC=univention,DC=test',cred='
>univention', start_tls=2,
> tls_cacertfile='/etc/univention/ssl/ucsCA/CAcert.pem')
>
> >>> l.started_tls
>
> 1
>
> It look likes a TLS connection is not set up if the URI starts with LDAP://
>
> In the second scenario I've tried to set up a TLS encrypted connection with
> a CA certificate that was not set in the ldap.conf file.
>
> >>> l =
>
> ldap.ldapobject.SmartLDAPObject(uri='ldap://win-64q6lq48z7a.windom2008.univ
>ention.test:389',
> who='cn=Administrator,cn=users,DC=windom2008,DC=univention,DC=test',cred='u
>nivention', start_tls=2,
> tls_cacertfile='/etc/univention/connector/ad/ad_cert_20091221_153053.pem')
> ...
> ldap.CONNECT_ERROR: {'info': 'error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
> failed', 'desc': 'Connect error'}
>
> It seems that the argument tls_cacertfile is ignored, because if I set the
> CA certificate file with the set_option function the connection works and
> is encrypted.
>
> ldap.set_option(
> ldap.OPT_X_TLS_CACERTFILE,
> '/etc/univention/connector/ad/ad_cert_20091221_153053.pem' ) l =
> ldap.ldapobject.SmartLDAPObject(uri='ldap://win-64q6lq48z7a.windom2008.univ
>ention.test:389',
> who='cn=Administrator,cn=users,DC=windom2008,DC=univention,DC=test',cred='u
>nivention', start_tls=2 )
>
> >>> l.started_tls
>
> 1
>
> software versions:
>
> python 2.4.6
> libldap 2.4.15
> python-ldap 2.3.5
>
> Is there any mistake in my reasoning or is this a known behaviour?
>
> best regards
> Andreas

-- 
Andreas Büsching
Open Source Software Engineer

Univention GmbH
Linux for your business
Mary-Somerville-Str.1
28359 Bremen
Tel. : +49 421 22232-0
Fax : +49 421 22232-99

<bue...@un...>
http://www.univention.de

Geschäftsführer: Peter H. Ganten
HRB 20755 Amtsgericht Bremen
Steuer-Nr.: 71-597-02876

**** Besuchen Sie uns auf der KOMCOM NORD in Hannover 
vom 9.-10.02.2010 in der Eilenriedehalle, Stand H 03 ****