Menu
▾
▴
python-ldap-dev
|
From: <mi...@st...> - 2006-10-17 13:22:12
|
gee...@ut... wrote:
>
> ldap.set_option(ldap.OPT_X_TLS_CACERTFILE,'/home/gvm/Temp/PYSSL/rootca.pem')
Does rootca.pem contain the cert of
/C=BE/L=Hoogstraten/O=CATrust/OU=PKI/CN=CAS_SK?
Or is there also an intermediate CA?
> ldap.set_option(ldap.OPT_X_TLS_CERTFILE,
> '/home/gvm/Temp/PYSSL/endor-crt.pem')
>
> ldap.set_option(ldap.OPT_X_TLS_KEYFILE,'/home/gvm/Temp/PYSSL/endor-key.pem')
Are you sure AD is configured to allow SSL client authentication?
> lconn=ldap.initialize("ldaps://eowyn.doom.be/")
> lconn.simple_bind_s ('Adm...@do...','system')
> lconn.unbind_s()
Seems ok. But I hope you know that using the UPN instead of a bind DB
with simple_bind_s() is proprietary feature of MS AD.
Ciao, Michael.
|
|
From: <gee...@ut...> - 2006-10-17 13:38:40
|
Hi,
- rootca.pem contains the self-signed root certificate
(/C=3DBE/L=3DHoogstraten/O=3DCATrust/OU=3DPKI/CN=3DCAS=5FSK)
- I'm not 100% sure if the AD allows client authentication (didn't find a=20
place where=20
to configure it....) but I made a small test app based on the platform sdk
and I had to import a client key first into windows...When I didn't do=20
that, I also=20
got the server down error. So I supposed that client authentication was=20
required...
thanks and regards,
Geert
PS My test environment:
SuSE 10.1
python: 2.4.2-18
python-ldap: 2.0.11-14
Michael Str=F6der <mi...@st...>
10/17/2006 03:21 PM
=20
To: gee...@ut...
cc: pyt...@li...
Subject: Re: SSL and AD
gee...@ut... wrote:
>
>=20
ldap.set=5Foption(ldap.OPT=5FX=5FTLS=5FCACERTFILE,'/home/gvm/Temp/PYSSL/roo=
tca.pem')
Does rootca.pem contain the cert of
/C=3DBE/L=3DHoogstraten/O=3DCATrust/OU=3DPKI/CN=3DCAS=5FSK?
Or is there also an intermediate CA?
> ldap.set=5Foption(ldap.OPT=5FX=5FTLS=5FCERTFILE,
> '/home/gvm/Temp/PYSSL/endor-crt.pem')
>
>=20
ldap.set=5Foption(ldap.OPT=5FX=5FTLS=5FKEYFILE,'/home/gvm/Temp/PYSSL/endor-=
key.pem')
Are you sure AD is configured to allow SSL client authentication?
> lconn=3Dldap.initialize("ldaps://eowyn.doom.be/")
> lconn.simple=5Fbind=5Fs ('Adm...@do...','system')
> lconn.unbind=5Fs()
Seems ok. But I hope you know that using the UPN instead of a bind DB
with simple=5Fbind=5Fs() is proprietary feature of MS AD.
Ciao, Michael.
|
|
From: <gee...@ut...> - 2006-10-17 16:02:24
|
Hi All,
Strange things are happening: It sometimes works. I can sometime make an=20
ssl connection with client authentication,
search for some entries,,,
What could be the reason? some network timeout issues?
Regards,
Geert
Michael Str=F6der <mi...@st...>
Sent by: pyt...@li...
10/17/2006 03:21 PM
=20
To: gee...@ut...
cc: pyt...@li...
Subject: Re: SSL and AD
gee...@ut... wrote:
>
>=20
ldap.set=5Foption(ldap.OPT=5FX=5FTLS=5FCACERTFILE,'/home/gvm/Temp/PYSSL/roo=
tca.pem')
Does rootca.pem contain the cert of
/C=3DBE/L=3DHoogstraten/O=3DCATrust/OU=3DPKI/CN=3DCAS=5FSK?
Or is there also an intermediate CA?
> ldap.set=5Foption(ldap.OPT=5FX=5FTLS=5FCERTFILE,
> '/home/gvm/Temp/PYSSL/endor-crt.pem')
>
>=20
ldap.set=5Foption(ldap.OPT=5FX=5FTLS=5FKEYFILE,'/home/gvm/Temp/PYSSL/endor-=
key.pem')
Are you sure AD is configured to allow SSL client authentication?
> lconn=3Dldap.initialize("ldaps://eowyn.doom.be/")
> lconn.simple=5Fbind=5Fs ('Adm...@do...','system')
> lconn.unbind=5Fs()
Seems ok. But I hope you know that using the UPN instead of a bind DB
with simple=5Fbind=5Fs() is proprietary feature of MS AD.
Ciao, Michael.
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job=20
easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=3D120709&bid=3D263057&dat=3D1=
21642
=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=
=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F
Python-LDAP-dev mailing list
Pyt...@li...
https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
|
|
From: <mi...@st...> - 2006-10-17 16:18:55
|
gee...@ut... wrote: > > Strange things are happening: It sometimes works. Hmm, this kind of error we all like most... ;-) > I can sometime make an > ssl connection with client authentication, > search for some entries,,, Could you please verify that your connection always works on command-line without python-ldap? openssl s_client ... Ciao, Michael. |
|
From: <gee...@ut...> - 2006-10-17 16:38:14
|
Hi Michael,
Here is the result with openssl. It also "sometimes" work...
gvm@endor:~/Temp/PYSSL> openssl s=5Fclient -connect 192.168.1.5:636 -CAfile=
=20
/home/gvm/Temp/PYSSL/rootca.pem -cert /home/gvm/Temp/PYSSL/endor-crt.pem=20
-key /home/gvm/Temp/PYSSL/endor-key.pem
CONNECTED(00000003)
depth=3D1 /C=3DBE/L=3DHoogstraten/O=3DCATrust/OU=3DPKI/CN=3DCAS=5FSK
verify return:1
depth=3D0 /C=3DBE/L=3DHoogstraten/O=3DCATrust/OU=3DPKI/CN=3Deowyn.doom.be
verify return:1
15313:error:140790E5:SSL routines:SSL23=5FWRITE:ssl handshake=20
failure:s23=5Flib.c:188:
gvm@endor:~/Temp/PYSSL> openssl s=5Fclient -connect 192.168.1.5:636 -CAfile=
=20
/home/gvm/Temp/PYSSL/rootca.pem -cert /home/gvm/Temp/PYSSL/endor-crt.pem=20
-key /home/gvm/Temp/PYSSL/endor-key.pem
CONNECTED(00000003)
depth=3D1 /C=3DBE/L=3DHoogstraten/O=3DCATrust/OU=3DPKI/CN=3DCAS=5FSK
verify return:1
depth=3D0 /C=3DBE/L=3DHoogstraten/O=3DCATrust/OU=3DPKI/CN=3Deowyn.doom.be
verify return:1
15318:error:140790E5:SSL routines:SSL23=5FWRITE:ssl handshake=20
failure:s23=5Flib.c:188:
gvm@endor:~/Temp/PYSSL> openssl s=5Fclient -connect 192.168.1.5:636 -CAfile=
=20
/home/gvm/Temp/PYSSL/rootca.pem -cert /home/gvm/Temp/PYSSL/endor-crt.pem=20
-key /home/gvm/Temp/PYSSL/endor-key.pem
CONNECTED(00000003)
depth=3D1 /C=3DBE/L=3DHoogstraten/O=3DCATrust/OU=3DPKI/CN=3DCAS=5FSK
verify return:1
depth=3D0 /C=3DBE/L=3DHoogstraten/O=3DCATrust/OU=3DPKI/CN=3Deowyn.doom.be
verify return:1
---
Certificate chain
0 s:/C=3DBE/L=3DHoogstraten/O=3DCATrust/OU=3DPKI/CN=3Deowyn.doom.be
i:/C=3DBE/L=3DHoogstraten/O=3DCATrust/OU=3DPKI/CN=3DCAS=5FSK
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICjDCCAfWgAwIBAgIBHDANBgkqhkiG9w0BAQUFADBUMQswCQYDVQQGEwJCRTEU
MBIGA1UEBxMLSG9vZ3N0cmF0ZW4xEDAOBgNVBAoTB0NBVHJ1c3QxDDAKBgNVBAsT
A1BLSTEPMA0GA1UEAwwGQ0FTX1NLMB4XDTA2MTAxNzEwNDk1NVoXDTA3MTAxNzEw
NDk1NVowWzELMAkGA1UEBhMCQkUxFDASBgNVBAcTC0hvb2dzdHJhdGVuMRAwDgYD
VQQKEwdDQVRydXN0MQwwCgYDVQQLEwNQS0kxFjAUBgNVBAMTDWVvd3luLmRvb20u
YmUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL6pGS7FO76CcZuDBOtwso5+
H1Sr/9hfDy2Cymp0gLixW1Fga5xdsO+hiV255NDiI2jQHvjP/FloThEp5UzJVwTY
lvT50APyGl1f2g/Akv8eqvK12TyOAtGwuj8SXzayyEzsWtzlN2NFnlWEKJc0qh6Q
l2UmDo/ggGxJBxxlfBkNAgMBAAGjZzBlMB8GA1UdIwQYMBaAFDhp/FYUPtJVxyCc
64ksf3y38HKIMB0GA1UdDgQWBBQ/g+qO3W1SDxsEJu86QgEzTrZAVDAOBgNVHQ8B
Af8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQEFBQADgYEA
ASmsG3ltOTkUJWv5zlTSZ69sr9hSjOeSC+wqiKFI0fqmbbcMkiDdxp+olwZwE3LM
RGwg9KXU4MZjQsMbDPoySPqDvHh4LlDOeMx8SVqvfQxQa/SnOYIGtONl3CosVe81
P19ynZeq4z+QzubR4F1Is3dqYqL9zYi0k4z2F0pXixA=3D
-----END CERTIFICATE-----
subject=3D/C=3DBE/L=3DHoogstraten/O=3DCATrust/OU=3DPKI/CN=3Deowyn.doom.be
issuer=3D/C=3DBE/L=3DHoogstraten/O=3DCATrust/OU=3DPKI/CN=3DCAS=5FSK
---
Acceptable client certificate CA names
/C=3DBE/L=3DHoogstraten/O=3DCATrust/OU=3DPKI/CN=3DCAS=5FSK
/C=3DUS/O=3DVeriSign, Inc./OU=3DClass 1 Public Primary Certification Author=
ity -=20
G2/OU=3D(c) 1998 VeriSign, Inc. - For authorized use only/OU=3DVeriSign Tru=
st=20
Network
/C=3DUS/O=3DVeriSign, Inc./OU=3DClass 4 Public Primary Certification Author=
ity -=20
G2/OU=3D(c) 1998 VeriSign, Inc. - For authorized use only/OU=3DVeriSign Tru=
st=20
Network
/C=3DZA/ST=3DWestern Cape/L=3DCape Town/O=3DThawte Consulting/OU=3DCertific=
ation=20
Services Division/CN=3DThawte Personal Freemail=20
CA/emailAddress=3Dp...@th...
/C=3DZA/ST=3DWestern Cape/L=3DCape Town/O=3DThawte Consulting/OU=3DCertific=
ation=20
Services Division/CN=3DThawte Personal Premium=20
CA/emailAddress=3Dp...@th...
/C=3DUS/O=3DFirst Data Digital Certificates Inc./CN=3DFirst Data Digital=20
Certificates Inc. Certification Authority
/C=3DZA/ST=3DWestern Cape/L=3DCape Town/O=3DThawte Consulting/OU=3DCertific=
ation=20
Services Division/CN=3DThawte Personal Basic=20
CA/emailAddress=3Dp...@th...
/C=3DUS/O=3DVeriSign, Inc./OU=3DClass 3 Public Primary Certification Author=
ity
/C=3DUS/O=3DVeriSign, Inc./OU=3DClass 2 Public Primary Certification Author=
ity
/C=3DUS/O=3DVeriSign, Inc./OU=3DClass 1 Public Primary Certification Author=
ity
/C=3DUS/O=3DVeriSign, Inc./OU=3DClass 3 Public Primary Certification Author=
ity -=20
G2/OU=3D(c) 1998 VeriSign, Inc. - For authorized use only/OU=3DVeriSign Tru=
st=20
Network
/C=3DUS/O=3DGTE Corporation/CN=3DGTE CyberTrust Root
/C=3DBE/L=3DHoogstraten/O=3DCATrust/OU=3DPKI/CN=3DEOWYN CA
/C=3DUS/O=3DGTE Corporation/OU=3DGTE CyberTrust Solutions, Inc./CN=3DGTE=20
CyberTrust Global Root
/OU=3DCopyright (c) 1997 Microsoft Corp./OU=3DMicrosoft=20
Corporation/CN=3DMicrosoft Root Authority
/C=3DUS/O=3DVeriSign, Inc./OU=3DClass 2 Public Primary Certification Author=
ity -=20
G2/OU=3D(c) 1998 VeriSign, Inc. - For authorized use only/OU=3DVeriSign Tru=
st=20
Network
/C=3DUS/O=3DGTE Corporation/OU=3DGTE CyberTrust Solutions, Inc./CN=3DGTE=20
CyberTrust Root
---
SSL handshake has read 3261 bytes and written 1781 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : RC4-MD5
Session-ID:=20
830A000079AD969762D5CA1CC27D874EADB5777B7F9AF5A191900602703F0F9B
Session-ID-ctx:
Master-Key:=20
2D17CCBF98E9610A5043C5348A5551717846756EFAE04734239A1DBA6D044788D3A34E7074E=
108CD12D1364586B2405E
Key-Arg : None
Start Time: 1161103751
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
read:errno=3D0
gvm@endor:~/Temp/PYSSL>=20
Thanks,
Geert
Michael Str=F6der <mi...@st...>
Sent by: pyt...@li...
10/17/2006 06:18 PM
=20
To: gee...@ut...
cc: pyt...@li...
Subject: Re: SSL and AD
gee...@ut... wrote:
>
> Strange things are happening: It sometimes works.
Hmm, this kind of error we all like most... ;-)
> I can sometime make an
> ssl connection with client authentication,
> search for some entries,,,
Could you please verify that your connection always works on
command-line without python-ldap?
openssl s=5Fclient ...
Ciao, Michael.
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job=20
easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=3D120709&bid=3D263057&dat=3D1=
21642
=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=
=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F
Python-LDAP-dev mailing list
Pyt...@li...
https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
|
|
From: <mi...@st...> - 2006-10-17 17:35:58
|
gee...@ut... wrote: > > Here is the result with openssl. It also "sometimes" work... So this is not related to python-ldap at all... Ciao, Michael. |
|
From: <gee...@ut...> - 2006-10-18 08:45:31
|
Hello,
Is it possible to enforce the sslv2 protocol to be used in the ssl=20
connection ?
(In this case it also works with openssl....)
Regards,
Geert
Michael Str=F6der <mi...@st...>
Sent by: pyt...@li...
10/17/2006 07:35 PM
=20
To: gee...@ut...
cc: pyt...@li...
Subject: Re: SSL and AD
gee...@ut... wrote:
>
> Here is the result with openssl. It also "sometimes" work...
So this is not related to python-ldap at all...
Ciao, Michael.
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job=20
easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=3D120709&bid=3D263057&dat=3D1=
21642
=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=
=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F
Python-LDAP-dev mailing list
Pyt...@li...
https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
|
|
From: <mi...@st...> - 2006-10-18 09:41:20
|
gee...@ut... wrote: > > Is it possible to enforce the sslv2 protocol to be used in the ssl > connection ? > (In this case it also works with openssl....) These fairly new TLS options of the OpenLDAP API are not supported in python-ldap yet. But for security reasons you really should avoid using SSLv2! You definitely don't want it! It's deprecated for good reasons. Maybe ask your colleagues why. ;-) Ciao, Michael. |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X