Re: SSL and AD

[<gee...@ut...>]

Hi,

- rootca.pem contains the self-signed root certificate
(/C=3DBE/L=3DHoogstraten/O=3DCATrust/OU=3DPKI/CN=3DCAS=5FSK)

- I'm not 100% sure if the AD allows client authentication (didn't find a=20
place where=20
to configure it....) but I made a small test app based on the platform sdk
and I had to import a client key first into windows...When I didn't do=20
that, I also=20
got the server down error. So I supposed that client authentication was=20
required...

thanks and regards,
Geert

PS My test environment:
SuSE 10.1
python: 2.4.2-18
python-ldap: 2.0.11-14





Michael Str=F6der <mi...@st...>
10/17/2006 03:21 PM
=20
        To:     gee...@ut...
        cc:     pyt...@li...
        Subject:        Re: SSL and AD


gee...@ut... wrote:
>
>=20
ldap.set=5Foption(ldap.OPT=5FX=5FTLS=5FCACERTFILE,'/home/gvm/Temp/PYSSL/roo=
tca.pem')

Does rootca.pem contain the cert of
/C=3DBE/L=3DHoogstraten/O=3DCATrust/OU=3DPKI/CN=3DCAS=5FSK?
Or is there also an intermediate CA?

>     ldap.set=5Foption(ldap.OPT=5FX=5FTLS=5FCERTFILE,
> '/home/gvm/Temp/PYSSL/endor-crt.pem')
>
>=20
ldap.set=5Foption(ldap.OPT=5FX=5FTLS=5FKEYFILE,'/home/gvm/Temp/PYSSL/endor-=
key.pem')

Are you sure AD is configured to allow SSL client authentication?

>     lconn=3Dldap.initialize("ldaps://eowyn.doom.be/")
>     lconn.simple=5Fbind=5Fs ('Adm...@do...','system')
>     lconn.unbind=5Fs()

Seems ok. But I hope you know that using the UPN instead of a bind DB
with simple=5Fbind=5Fs() is proprietary feature of MS AD.

Ciao, Michael.