python-ldap-dev

Hanging during ldaps

[Goucher, A. <ada...@hp...>]

I'm trying to use python-ldap to connect to an iplanet 5.1 ldap.
Connecting via ldap:// works, but the script is hanging when connecting
through ldaps://. Can anyone see what I am doing wrong?

<script>
import ldap
ldap.set_option(ldap.OPT_DEBUG_LEVEL, 5)

# build our uri
uri =3D "ldaps://ldap_host:6360"

# connect to the ldap server
p_handle =3D ldap.initialize(uri)
p_handle.protocol_version =3D ldap.VERSION3

# bind
p_handle.simple_bind("cn=3Ddirectory manager", "*****")

# search so we know we are connected
p_search =3D p_handle.search("", ldap.SCOPE_BASE, "objectclass=3D*")
p_return =3D p_handle.result(p_search)
res_type, res_values =3D p_return
print res_values
</script>

<output>
ldap_create
ldap_url_parse_ext(ldaps://ldap_host:6360)
ldap_bind
ldap_simple_bind
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host: TCP ldap_host:6360
ldap_new_socket: 1904
ldap_prepare_socket: 1904
ldap_connect_to_host: Trying ldap_ip:6360
ldap_connect_timeout: fd: 1904 tm: -1 async: 0
ldap_ndelay_on: 1904
ldap_ndelay_off: 1904
ldap_open_defconn: successful
ldap_send_server_request
ldap_search_ext
put_filter: "objectclass=3D*"
put_filter: default
put_simple_filter: "objectclass=3D*"
ldap_send_initial_request
ldap_send_server_request
ldap_result msgid 2
ldap_chkResponseList for msgid=3D2, all=3D1
ldap_chkResponseList for msgid=3D2, all=3D1
ldap_int_select
</ouput>

I am using python 2.3.2 for windows, and the python-ldap module found at
http://www.zope.org/Members/volkerw/LdapWin32.dsdfs=20

______________________________
Adam Goucher
Testing Group
HP OpenView Select Access
Hewlett-Packard
901 King St W.
Toronto, Ontario
M5V 3H5

Phone: +1-416-309-5208
Fax: +1-416-309-4406=20

Re: Hanging during ldaps

[charlie d. <cd...@si...>]

My first guess would be to use port 636 instead of 6360 -- if that 
doesn't work, I'd next try leaving the port specification off entirely 
(start_tls should encrypt traffic on port 389 if the server is 
configured correctly).

	good luck,
		~c


Goucher, Adam wrote:
> I'm trying to use python-ldap to connect to an iplanet 5.1 ldap.
> Connecting via ldap:// works, but the script is hanging when connecting
> through ldaps://. Can anyone see what I am doing wrong?
> 
> <script>
> import ldap
> ldap.set_option(ldap.OPT_DEBUG_LEVEL, 5)
> 
> # build our uri
> uri = "ldaps://ldap_host:6360"
> 
> # connect to the ldap server
> p_handle = ldap.initialize(uri)
> p_handle.protocol_version = ldap.VERSION3
> 
> # bind
> p_handle.simple_bind("cn=directory manager", "*****")
> 
> # search so we know we are connected
> p_search = p_handle.search("", ldap.SCOPE_BASE, "objectclass=*")
> p_return = p_handle.result(p_search)
> res_type, res_values = p_return
> print res_values
> </script>
> 
> <output>
> ldap_create
> ldap_url_parse_ext(ldaps://ldap_host:6360)
> ldap_bind
> ldap_simple_bind
> ldap_sasl_bind
> ldap_send_initial_request
> ldap_new_connection
> ldap_int_open_connection
> ldap_connect_to_host: TCP ldap_host:6360
> ldap_new_socket: 1904
> ldap_prepare_socket: 1904
> ldap_connect_to_host: Trying ldap_ip:6360
> ldap_connect_timeout: fd: 1904 tm: -1 async: 0
> ldap_ndelay_on: 1904
> ldap_ndelay_off: 1904
> ldap_open_defconn: successful
> ldap_send_server_request
> ldap_search_ext
> put_filter: "objectclass=*"
> put_filter: default
> put_simple_filter: "objectclass=*"
> ldap_send_initial_request
> ldap_send_server_request
> ldap_result msgid 2
> ldap_chkResponseList for msgid=2, all=1
> ldap_chkResponseList for msgid=2, all=1
> ldap_int_select
> </ouput>
> 
> I am using python 2.3.2 for windows, and the python-ldap module found at
> http://www.zope.org/Members/volkerw/LdapWin32.dsdfs 
> 
> ______________________________
> Adam Goucher
> Testing Group
> HP OpenView Select Access
> Hewlett-Packard
> 901 King St W.
> Toronto, Ontario
> M5V 3H5
> 
> Phone: +1-416-309-5208
> Fax: +1-416-309-4406 
> 
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: IBM Linux Tutorials.
> Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
> Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
> Click now! http://ads.osdn.com/?ad_id78&alloc_id371&op=click
> _______________________________________________
> Python-LDAP-dev mailing list
> Pyt...@li...
> https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
> 

Re: Hanging during ldaps

[Mauro C. <mci...@li...>]

Goucher, Adam wrote:

>I'm trying to use python-ldap to connect to an iplanet 5.1 ldap.
>Connecting via ldap:// works, but the script is hanging when connecting
>through ldaps://. Can anyone see what I am doing wrong?
>
><script>
>import ldap
>ldap.set_option(ldap.OPT_DEBUG_LEVEL, 5)
>
># build our uri
>uri = "ldaps://ldap_host:6360"
>
># connect to the ldap server
>p_handle = ldap.initialize(uri)
>p_handle.protocol_version = ldap.VERSION3
>
># bind
>p_handle.simple_bind("cn=directory manager", "*****")
>
># search so we know we are connected
>p_search = p_handle.search("", ldap.SCOPE_BASE, "objectclass=*")
>  
>
This call looks strange to me: iPlanet has always wanted a real base 
there (i.e., no "" as you possibly could using Active Directory, but a 
correct search base for your server like "dc=ldapserver, dc=acme, 
dc=com" or similar).

If you say it does work using plain LDAP, however, this cannot be the 
reason for your script hanging, still I'm amazed it does, the RFC 
clearly states that you must explicitly set the search base and iPlanet 
have always prided themselves in being standards compliant (not like 
that other major software vendor ;-)

>p_return = p_handle.result(p_search)
>res_type, res_values = p_return
>print res_values
></script>
>
><output>
>ldap_create
>ldap_url_parse_ext(ldaps://ldap_host:6360)
>ldap_bind
>ldap_simple_bind
>ldap_sasl_bind
>ldap_send_initial_request
>ldap_new_connection
>ldap_int_open_connection
>ldap_connect_to_host: TCP ldap_host:6360
>ldap_new_socket: 1904
>ldap_prepare_socket: 1904
>ldap_connect_to_host: Trying ldap_ip:6360
>ldap_connect_timeout: fd: 1904 tm: -1 async: 0
>ldap_ndelay_on: 1904
>ldap_ndelay_off: 1904
>ldap_open_defconn: successful
>ldap_send_server_request
>ldap_search_ext
>put_filter: "objectclass=*"
>put_filter: default
>put_simple_filter: "objectclass=*"
>ldap_send_initial_request
>ldap_send_server_request
>ldap_result msgid 2
>ldap_chkResponseList for msgid=2, all=1
>ldap_chkResponseList for msgid=2, all=1
>ldap_int_select
></ouput>
>
>I am using python 2.3.2 for windows, and the python-ldap module found at
>http://www.zope.org/Members/volkerw/LdapWin32.dsdfs 
>  
>
I don't know this module, however you might want to give a try to my 
Win32 binary of Python-LDAP, you can find it at 
http://www.siosistemi.it/~mcicogni/ at the beginning of the page under 
"Python stuff".
Beware, your mileage may vary.

If this doesn't work, either, it *might* be that your server isn't 
configured correctly (i.e., TLS Certificates and such): do other LDAPS 
client work?

Mauro

Re: Hanging during ldaps

[<mi...@st...>]

Mauro Cicognini wrote:
 > Goucher, Adam wrote:
 >
 >>
 >> # search so we know we are connected
 >> p_search = p_handle.search("", ldap.SCOPE_BASE, "objectclass=*")
 >>
 > This call looks strange to me: iPlanet has always wanted a real base
 > there (i.e., no "" as you possibly could using Active Directory, but a
 > correct search base for your server like "dc=ldapserver, dc=acme,
 > dc=com" or similar).

Since the search scope is base it would grab the server's Root DSE where you 
can read some configuration data, e.g. attribute'namingContexts'. This is 
almost a perfectly LDAPv3 compliant search request. Well, the filter string 
"objectclass=*" is *not* correct according to RFC2254. Please use 
"(objectclass=*)" since it could cause some strange effects with buggy LDAP 
servers.

Side note: Make sure you use SunONE Directory Server 5.1SP2 or newer to 
avoid running into other strange bugs! But that's another story... ;-)

Ciao, Michael.

Re: Hanging during ldaps

[Mauro C. <mci...@li...>]

Michael Str=F6der wrote:

> Please use "(objectclass=3D*)" since it could cause some strange effect=
s=20
> with buggy LDAP servers.

Second that! I had missed it, but definitely omitting the parentheses=20
does cause no end of problems.

Still, if your script does work without encryption, I agree with Michael=20
that your problem probably rests in the SSL/TLS configuration.

Mauro

Re: Hanging during ldaps

[<mi...@st...>]

Goucher, Adam wrote:
> I'm trying to use python-ldap to connect to an iplanet 5.1 ldap.

Which version of python-ldap and which version of the OpenLDAP libs are you 
using?

> Connecting via ldap:// works, but the script is hanging when connecting
> through ldaps://. Can anyone see what I am doing wrong?

Just guessing since you did not mention what "is hanging" means and you did 
not provide a Python traceback: You have to tell where to find the CA's 
certificate by calling

ldap.set_option(ldap.OPT_X_TLS_CACERTFILE,path_to_cacert_file) or 
ldap.set_option(ldap.OPT_X_TLS_CACERTDIR,path_of_cacert_dir).

See Demo/initialize.py.

> I am using python 2.3.2 for windows, and the python-ldap module found at
> http://www.zope.org/Members/volkerw/LdapWin32.dsdfs 

Does this binary really have support for LDAP over SSL?

Ciao, Michael.