Menu
▾
▴
python-ldap-dev
|
From: Mike O. <slu...@gm...> - 2006-06-20 22:41:03
|
Hi. I have a Python application that uses LDAP to authenticate users. Today our organization moved the server to one that uses LDAP-SSL, and I can't connect to it. I couldn't find anything about SSL in the python-ldap or openldap documentation, but a Google search found this letter from 2003: http://marc2.theaimsgroup.com/?l=python-ldap-dev&m=105298124425061&w=1 David Casti wrote: > > > > import ldap > > l = ldap.initialize( 'ldaps://target:636' ) > > [..] > > ldap.SERVER_DOWN: {'info': 'error:14090086:SSL > > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed', 'desc': > > "Can't contact LDAP server"} > > The message is pretty clear. The server's certificate cannot be verified. > > > ldap.set_option( ldap.OPT_X_TLS_CACERTFILE, '/path/ca.crt' ) > > This is the right thing to do. > > Can you please try something like > > openssl s_client -connect target:636 -CAfile /path/ca.crt > > and carefully examime its output? But I don't have a certificate to authenticate against. Mozilla Thunderbird works fine without it "openssl s_client -connect target:636" ends with: "Verify return code: 19 (self signed certificate in certificate chain)" This is not surprising; our organization always uses self-signed certificates. The ldapsearch program refuses to run, saying: TLS certificate verification: Error, self signed certificate in certificate chain tls_write: want=7, written=7 0000: 15 03 01 00 02 02 30 ......0 TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect. ldap_perror ldap_bind: Can't contact LDAP server (-1) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Is there an option for "just accept the certificate anyway"? Is there a list of LDAP options anywhere? I couldn't find one. Is there a HOWTO anywhere for using python-ldap with SSL? I only discovered ldaps: by guessing maybe it works like https:. -- Mike Orr <slu...@gm...> |
|
From: <mi...@st...> - 2006-06-20 23:05:57
|
Mike Orr wrote: > > I couldn't find anything about SSL in the > python-ldap or openldap documentation, but a Google search found this > letter from 2003: > http://marc2.theaimsgroup.com/?l=python-ldap-dev&m=105298124425061&w=1 > [..] > But I don't have a certificate to authenticate against. Mozilla > Thunderbird works fine without it Are you sure that you never imported the appropriate CA certificate into Mozilla cert store? Or do you hit "Accept forever" on each unknown issuer? Bad idea! > "openssl s_client -connect > target:636" ends with: > "Verify return code: 19 (self signed certificate in certificate chain)" > > This is not surprising; our organization always uses self-signed > certificates. You have to install the CA certificate which issued the SSL server certificate available as trusted root certificate into each software using it. If you're using self-signed server certificates I can only comment that you SHOULD NOT do this. > ldap_bind: Can't contact LDAP server (-1) > additional info: error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed > > Is there an option for "just accept the certificate anyway"? Nope. That's by design of the OpenLDAP API. You can define the server certificate as CA certificate though. But again, this undermines security measures of SSL/TLS. > Is there > a list of LDAP options anywhere? Why didn't you follow the advice in the e-mail you cited above: ldap.set_option( ldap.OPT_X_TLS_CACERTFILE , ..) > Is there a HOWTO anywhere for using python-ldap with SSL? See demo script Demo/initialize.py in python-ldap's source distribution. Ciao, Michael. |
|
From: Mike O. <slu...@gm...> - 2006-06-20 23:38:39
|
On 6/20/06, Michael Str=F6der <mi...@st...> wrote: > Mike Orr wrote: > > > > I couldn't find anything about SSL in the > > python-ldap or openldap documentation, but a Google search found this > > letter from 2003: > > http://marc2.theaimsgroup.com/?l=3Dpython-ldap-dev&m=3D105298124425061&= w=3D1 > > [..] > > But I don't have a certificate to authenticate against. Mozilla > > Thunderbird works fine without it > > Are you sure that you never imported the appropriate CA certificate into > Mozilla cert store? Or do you hit "Accept forever" on each unknown > issuer? Bad idea! Oh that's right, Mozilla did pop up an "Unknown certificate" dialog. > > "openssl s_client -connect > > target:636" ends with: > > "Verify return code: 19 (self signed certificate in certificate chain)" > > > > This is not surprising; our organization always uses self-signed > > certificates. > > You have to install the CA certificate which issued the SSL server > certificate available as trusted root certificate into each software > using it. > > If you're using self-signed server certificates I can only comment that > you SHOULD NOT do this. I have no control over the server. And some organizations with tight budgets balk at paying $100 per year per domain to a company like Thawte that essentially does nothing. > > ldap_bind: Can't contact LDAP server (-1) > > additional info: error:14090086:SSL > > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed > > > > Is there an option for "just accept the certificate anyway"? > > Nope. That's by design of the OpenLDAP API. > > You can define the server certificate as CA certificate though. But > again, this undermines security measures of SSL/TLS. > > > Is there > > a list of LDAP options anywhere? > > Why didn't you follow the advice in the e-mail you cited above: > > ldap.set_option( ldap.OPT_X_TLS_CACERTFILE , ..) Because I don't have a certificate file to point it to. I'm checking with the LDAP admins to see if they'll give us the certificate file. If not, I don't know what else to do. --=20 Mike Orr <slu...@gm...> |
|
From: <mi...@st...> - 2006-06-20 23:46:58
|
Mike Orr wrote: > On 6/20/06, Michael Str=F6der <mi...@st...> wrote: >=20 >> If you're using self-signed server certificates I can only comment tha= t >> you SHOULD NOT do this. >=20 > I have no control over the server. And some organizations with tight > budgets balk at paying $100 per year per domain to a company like > Thawte that essentially does nothing. Hint: You can run your own CA. Or there's also cacert.org. >> > ldap_bind: Can't contact LDAP server (-1) >> > additional info: error:14090086:SSL >> > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed >> > >> > Is there an option for "just accept the certificate anyway"? >> >> Nope. That's by design of the OpenLDAP API. >> >> You can define the server certificate as CA certificate though. But >> again, this undermines security measures of SSL/TLS. >> >> > Is there >> > a list of LDAP options anywhere? >> >> Why didn't you follow the advice in the e-mail you cited above: >> >> ldap.set_option( ldap.OPT_X_TLS_CACERTFILE , ..) >=20 > Because I don't have a certificate file to point it to. As I wrote above you can point to the server certificate file. > I'm checking with the LDAP admins to see if they'll give us the > certificate file. If not, I don't know what else to do. Simply grab it with openssl s_client. Ciao, Michael. |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X