python-ldap-dev

problem with set_option and tls

[Mike L. <mi...@mo...>]

First off, hello everyone.
I am working on some software that uses python-ldap that is trying to 
connect to an ldaps server. If I do this sequence

import ldap
ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, '/path/to/cert')
conn = ldap.initialize('ldaps://server')
conn.simple_bind_s('uid', 'pass')

things work fine. But if I do it like this

import ldap
conn = ldap.initialize('ldaps://server')
conn.set_option(ldap.OPT_X_TLS_CACERTFILE, '/path/to/cert')
conn.simple_bind_s('uid', 'pass')

then I get an error saying that it can't contact the server. I am 
guessing it just can't verify the server's ssl certificate and just 
saying it can't contact the server. But it appears that if I set the 
option on the ldap module it works but setting the option on the 
individual connection doesn't.

Is this expected behavior? Is this a restriction of the underlying 
openldap client libraries? Or a bug that could use some attention? I am 
wanting to get it so that the options are on the connections so that I 
could do multiple connections with different options. Thanks for any 
help in advance.

mike

Re: problem with set_option and tls

[Michael S. <mi...@st...>]

Mike Lovell wrote:
> First off, hello everyone.
> I am working on some software that uses python-ldap that is trying to 
> connect to an ldaps server. If I do this sequence
> 
> import ldap
> ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, '/path/to/cert')
> conn = ldap.initialize('ldaps://server')
> conn.simple_bind_s('uid', 'pass')
> 
> things work fine. But if I do it like this
> 
> import ldap
> conn = ldap.initialize('ldaps://server')
> conn.set_option(ldap.OPT_X_TLS_CACERTFILE, '/path/to/cert')
> conn.simple_bind_s('uid', 'pass')
> 
> then I get an error saying that it can't contact the server. I am 
> guessing it just can't verify the server's ssl certificate and just 
> saying it can't contact the server.

I guess you're using python-ldap built against OpenLDAP 2.3 client libs.
With OpenLDAP 2.4 connection-specific TLS options should be supported.

> Is this expected behavior? Is this a restriction of the underlying 
> openldap client libraries?

Yupp. Version-specific.

Ciao, Michael.

Re: problem with set_option and tls

[Mike L. <mi...@mo...>]

Michael Ströder wrote:
> I guess you're using python-ldap built against OpenLDAP 2.3 client libs.
> With OpenLDAP 2.4 connection-specific TLS options should be supported.
>
>   
I am using a machine with Ubuntu 9.04 which has the 2.4 OpenLDAP 
libraries. I double checked the package dependencies and did ldd on the 
_ldap.so file and both show it was compiled against the 2.4 libraries. I 
am using python-ldap 2.3.5. I don't know if a newer version is needed 
for this. But I am planning on several Debian Etch machines which were 
built against older OpenLDAP libraries so I should still plan for this 
behavior. Thanks for the help.

mike

Re: problem with set_option and tls

[Michael S. <mi...@st...>]

Mike Lovell wrote:
> Michael Ströder wrote:
>> I guess you're using python-ldap built against OpenLDAP 2.3 client libs.
>> With OpenLDAP 2.4 connection-specific TLS options should be supported.
>>
>>   
> I am using a machine with Ubuntu 9.04 which has the 2.4 OpenLDAP
> libraries.

Please post the exact OpenLDAP version.

Ciao, Michael.

Re: problem with set_option and tls

[Mike L. <mi...@mo...>]

Michael Ströder wrote:
> Mike Lovell wrote:
>   
>> Michael Ströder wrote:
>>     
>>> I guess you're using python-ldap built against OpenLDAP 2.3 client libs.
>>> With OpenLDAP 2.4 connection-specific TLS options should be supported.
>>>
>>>   
>>>       
>> I am using a machine with Ubuntu 9.04 which has the 2.4 OpenLDAP
>> libraries.
>>     
>
> Please post the exact OpenLDAP version.
>
> Ciao, Michael.
>   
hopefully this is enough info for you.

mike@thor:~/Desktop$ dpkg -l python-ldap libldap*
ii  libldap-2.4-2  2.4.15-1ubuntu OpenLDAP libraries
ii  python-ldap    2.3.5-1ubuntu1 An LDAP interface module for Python

mike@thor:~/Desktop$ ldd /usr/lib/python2.6/dist-packages/_ldap.so
    linux-vdso.so.1 =>  (0x00007fff5b1ff000)
    libldap_r-2.4.so.2 => /usr/lib/libldap_r-2.4.so.2 (0x00007f8252b90000)
    liblber-2.4.so.2 => /usr/lib/liblber-2.4.so.2 (0x00007f8252981000)
    libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0x00007f8252766000)
    libpthread.so.0 => /lib/libpthread.so.0 (0x00007f825254a000)
    libc.so.6 => /lib/libc.so.6 (0x00007f82521d8000)
    libdl.so.2 => /lib/libdl.so.2 (0x00007f8251fd3000)
    libresolv.so.2 => /lib/libresolv.so.2 (0x00007f8251dbb000)
    libgnutls.so.26 => /usr/lib/libgnutls.so.26 (0x00007f8251b0e000)
    libtasn1.so.3 => /usr/lib/libtasn1.so.3 (0x00007f82518fc000)
    libz.so.1 => /lib/libz.so.1 (0x00007f82516e4000)
    libgcrypt.so.11 => /lib/libgcrypt.so.11 (0x00007f825147d000)
    /lib64/ld-linux-x86-64.so.2 (0x00007f8253005000)
    libgpg-error.so.0 => /lib/libgpg-error.so.0 (0x00007f8251279000)

Re: problem with set_option and tls

[Mike L. <mi...@mo...>]

Michael Ströder wrote:
> Mike Lovell wrote:
>   
>> Michael Ströder wrote:
>>     
>>> I guess you're using python-ldap built against OpenLDAP 2.3 client libs.
>>> With OpenLDAP 2.4 connection-specific TLS options should be supported.
>>>
>>>   
>>>       
>> I am using a machine with Ubuntu 9.04 which has the 2.4 OpenLDAP
>> libraries.
>>     
>
> Please post the exact OpenLDAP version.
>
> Ciao, Michael.
>   
So, I was testing this on an Ubuntu 9.04 system that was upgraded from 
8.10 and has various other quirks and it was showing this problem. I 
just tested on a Debian Lenny system which has libldap-2.4-2 with 
python-ldap 2.3.5-1 and it works fine. So I am guessing it is just 
another one of the quirks with the system I was using.

mike