python-ldap-dev

python-ldap and SSL?

[David C. <da...@ca...>]

Hello,

I have Python 2.2.2, the current version of python-ldap, openldap, and
openssl installed.

I am trying to connect over SSL to an LDAP server listening on port 636, so
I try --

import ldap
l = ldap.initialize( 'ldaps://target:636' )
l.bind_s( '', '', ldap.AUTH_SIMPLE )

-- but no matter what I do, I get the following traceback --

Traceback (most recent call last):

  File "<stdin>", line 1, in ?

  File "/usr/local/lib/python2.2/site-packages/ldap/ldapobject.py", line
429, in simple_bind

    return self.bind(who,passwd,_ldap.AUTH_SIMPLE)

  File "/usr/local/lib/python2.2/site-packages/ldap/ldapobject.py", line
147, in bind

    return self._ldap_call(self._l.bind,who,cred,method)

  File "/usr/local/lib/python2.2/site-packages/ldap/ldapobject.py", line 90,
in _ldap_call

    result = func(*args,**kwargs)

ldap.SERVER_DOWN: {'info': 'error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed', 'desc':
"Can't contact LDAP server"}

-- I have tried adding --

ldap.set_option( ldap.OPT_X_TLS_CACERTFILE, '/path/ca.crt' )

-- right after 'import ldap', but it had no effect.

I read the thread on this list from April 2002 which suggested that this
should all work... any ideas?  SSL support appears to be very lightly
documented...

Thanks,
David.

Re: python-ldap and SSL?

[<mi...@st...>]

David Casti wrote:
> 
> import ldap
> l = ldap.initialize( 'ldaps://target:636' )
> [..]
> ldap.SERVER_DOWN: {'info': 'error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed', 'desc':
> "Can't contact LDAP server"}

The message is pretty clear. The server's certificate cannot be verified.

> ldap.set_option( ldap.OPT_X_TLS_CACERTFILE, '/path/ca.crt' )

This is the right thing to do.

Can you please try something like

openssl s_client -connect target:636 -CAfile /path/ca.crt

and carefully examime its output?

Ciao, Michael.