python-ldap-dev

ldaps and Active Directory

[Patrick A. T. <ptr...@sw...>]

I am pulling my hair out trying to connect via ldaps to one of our AD 
controllers.

Everything works just fine with ldap:389, but as soon as I try to use 
ldaps:636, I get this:

ldap.SERVER_DOWN: {'info': '(unknown error code)', 'desc': "Can't 
contact LDAP server"}

My code is exactly as in "Demo/initialize.py":

import sys
import ldap
ldap.set_option(ldap.OPT_REFERRALS, 0)
ldap.set_option(ldap.OPT_DEBUG_LEVEL,0)
ldapmodule_trace_level = 1
ldapmodule_trace_file = sys.stderr
host = "ldaps://ad_host:636"
con = 
ldap.initialize(host,trace_level=ldapmodule_trace_level,trace_file=ldapmodule_trace_file)
con.set_option(ldap.OPT_PROTOCOL_VERSION, 3)
con.set_option(ldap.OPT_X_TLS_REQUIRE_CERT,ldap.OPT_X_TLS_DEMAND)
con.set_option(ldap.OPT_X_TLS_CACERTFILE, 'path/to/cert.crt')
con.set_option(ldap.OPT_DEBUG_LEVEL, 255)
con.bind_s(full_dn, pass)

#openssl s_client -CAfile path/to/cert.crt -connect ad_host:636 returns 
a successful connection and I am also able to connect with other ldap 
clients (jxplorer) with SSL and the same CA cert.

What am I missing?

Thank you,
Patrick

Re: ldaps and Active Directory

[Michael S. <mi...@st...>]

Patrick A. Treptau wrote:
> I am pulling my hair out trying to connect via ldaps to one of our AD 
> controllers.
> 
> host = "ldaps://ad_host:636"

You should always use the fully-qualified which is in the CN of the server
certificate's subject DN.

> #openssl s_client -CAfile path/to/cert.crt -connect ad_host:636 returns 
> a successful connection

With -verify?

Ciao, Michael.

Re: ldaps and Active Directory

[Josh <jo...@ro...>]

> Patrick A. Treptau wrote:
> > I am pulling my hair out trying to connect via ldaps to one of our AD 
> > controllers.
> > 
> > host = "ldaps://ad_host:636"
> 
> You should always use the fully-qualified which is in the CN of the server
> certificate's subject DN.

Patrick isn't the only one running into the issue by the way, I see if appearing 
for me as well. Windows 2008 server, getting ldap.SERVER_DOWN: {'info': 
'(unknown error code)', 'desc': "Can't contact LDAP server"} When I try to 
connect with ldaps:// to our host using it's FQDN.

Re: ldaps and Active Directory

[Michael S. <mi...@st...>]

Josh wrote:
>> Patrick A. Treptau wrote:
>>> I am pulling my hair out trying to connect via ldaps to one of our AD 
>>> controllers.
>>>
>>> host = "ldaps://ad_host:636"
>>
>> You should always use the fully-qualified which is in the CN of the server
>> certificate's subject DN.
> 
> Patrick isn't the only one running into the issue by the way, I see if appearing 
> for me as well. Windows 2008 server, getting ldap.SERVER_DOWN: {'info': 
> '(unknown error code)', 'desc': "Can't contact LDAP server"} When I try to 
> connect with ldaps:// to our host using it's FQDN.

As said try to debug with

openssl s_client -connect ad_host:636 -verify

(use -CApath or -CAfile options)

preferrably using the OpenSSL command-line tool linked to the same libs like
python-ldap.

Ciao, Michael.