Menu
▾
▴
python-ldap-dev
|
From: Alberto L. <pl...@al...> - 2008-12-09 11:29:42
|
Dear friends, I am using python-ldap indirectly, as a dependency for the LDAPUserFolder product for Zope. >From what I understood from the LDAPUserFolder code, it delegates the SSL negotiation to the python-ldap library. The problem is that when I try to make an LDAP connection over SSL (to a MS-AD server), I get a "invalid certificate" message. How can I pass the CAcertificate to the python-ldap layer in order to have it accepting the server certificate? I am using python-ldap in Windows, using the the OpenSSL and OpenLDAP DLLs that I got from http://python-ldap.sourceforge.net/download.shtml. Please help me. Best regards, Alberto |
|
From: Michael S. <mi...@st...> - 2008-12-09 12:05:39
|
Alberto Lopes wrote: > > From what I understood from the LDAPUserFolder code, it delegates the > SSL negotiation to the python-ldap library. And further down the delegation path: python-ldap -> OpenLDAP lib -> OpenSSL lib > How can I pass the > CAcertificate to the python-ldap layer in order to have it accepting the > server certificate? See Demo/initialize.py in python-ldap's source distribution. ldap.set_option(ldap.OPT_X_TLS_CACERTFILE,'/etc/httpd/ssl.crt/myCA-cacerts.pem') or ldap.set_option(ldap.OPT_X_TLS_CACERTDIR,'/etc/httpd/ssl.crt') In older versions of the OpenLDAP libs you can only set these options globally. Not sure about 2.4.8. I have no clue whether LDAPUserFolder makes it possible to set these options though. Ciao, Michael. |
|
From: Alberto L. <pl...@al...> - 2008-12-09 18:32:18
|
Dear Michael, Thank you for your answer.
Now, I'm working on making the zope python interpreter to be able to connect
to the LDAP server (over SSL), using the example in Demo/initizalize.py.
However I got stuck in a different problem.
When trying to connect, I followed this sequence of commands (changing the
/path/to/my/CAcert and <server>:<port> sequences):
import sys,ldap
ldap.set_option(ldap.OPT_DEBUG_LEVEL,255)
ldapmodule_trace_level = 1
ldapmodule_trace_file = sys.stderr
ldap.set_option(ldap.OPT_X_TLS_CACERTFILE,'/path/to/my/CAcert')
l = ldap.initialize('ldaps://<server>:<port>',trace_level=ldapmodule_trace_level,trace_file=ldapmodule_trace_file)
l.protocol_version=ldap.VERSION3
l.bind_s('','',ldap.AUTH_SIMPLE)
Here, I got the following message:
ldap.SERVER_DOWN: {'info': 'TLS: unable to get CN from peer certificate',
'desc' : "Can't contact LDAP server"}
Point is, the LDAP server certificate doesn't have the "Subject" field;
instead, it uses the "Subject Alternate Name" field in the V3 Extensions.
Can anyone help me?
Best regards,
Alberto
On Tue, Dec 9, 2008 at 9:54 AM, Michael Ströder <mi...@st...>wrote:
> Alberto Lopes wrote:
> >
> > From what I understood from the LDAPUserFolder code, it delegates the
> > SSL negotiation to the python-ldap library.
>
> And further down the delegation path:
> python-ldap -> OpenLDAP lib -> OpenSSL lib
>
> > How can I pass the
> > CAcertificate to the python-ldap layer in order to have it accepting the
> > server certificate?
>
> See Demo/initialize.py in python-ldap's source distribution.
>
>
> ldap.set_option(ldap.OPT_X_TLS_CACERTFILE,'/etc/httpd/ssl.crt/myCA-cacerts.pem')
>
> or
>
> ldap.set_option(ldap.OPT_X_TLS_CACERTDIR,'/etc/httpd/ssl.crt')
>
> In older versions of the OpenLDAP libs you can only set these options
> globally. Not sure about 2.4.8.
>
> I have no clue whether LDAPUserFolder makes it possible to set these
> options though.
>
> Ciao, Michael.
>
|
|
From: Michael S. <mi...@st...> - 2008-12-09 19:15:17
|
Alberto Lopes wrote:
> ldap.set_option(ldap.OPT_X_TLS_CACERTFILE,'/path/to/my/CAcert')
> l = ldap.initialize('ldaps://<server>:<port>',trace_level=ldapmodule_trace_level,trace_file=ldapmodule_trace_file)
>
> l.protocol_version=ldap.VERSION3
> l.bind_s('','',ldap.AUTH_SIMPLE)
>
> Here, I got the following message:
> ldap.SERVER_DOWN: {'info': 'TLS: unable to get CN from peer
> certificate', 'desc' : "Can't contact LDAP server"}
This is rather an OpenSSL issue maybe depending on the OpenSSL version
used to build OpenLDAP libs. I'd test that with
openssl s_client first:
openssl s_client -connect <server>:<port> -CAfile /path/to/my/CAcert
> Point is, the LDAP server certificate doesn't have the "Subject" field;
> instead, it uses the "Subject Alternate Name" field in the V3 Extensions.
Well, a cert MUST have a subject DN. It might be the case that it does
not have a CN attribute. IMHO it should.
Ciao, Michael.
|
|
From: Alberto L. <pl...@al...> - 2008-12-09 19:44:55
|
Michael,
Here is what I got after the openssl s_client -connect <server>:<port>
-CAfile /path/to/my/CAcert command:
CONNECTED(00000784)
---
Certificate chain
0 s:
i:/DC=srf/CN=AC DN
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFjjCCBHagAwIBAgIKb11m+wAAAAACNzANBgkqhkiG9w0BAQUFADAzMRMwEQYK
CZImiZPyLGQBGRYDc3JmMRwwGgYDVQQDExNSRkIgRW50ZXJwcmlzZSBDQTAyMB4X
DTA4MTIwODEzNTUzOVoXDTA5MTIwODEzNTUzOVowADCBnzANBgkqhkiG9w0BAQEF
CERTIFICATE VOIDED FOR SECURITY REASONS
4cT9LQqwIZImw43pkJOBb4SpAWgtRFp593ydbecZ3Kp8bGq7nLm5fhTazF0tuH7j
mXj1Y2rkoucgDBDPTDRfIodpbmwiv85KdxVLjYbMwC6UZkJAnbyyZsJMnEV7gvIU
aB8SRTjVy3I2L9qs+PE6VmFEj77s9GJ/uK6sQKe5r9wMhfumB9hhvINdiAZHjDrL
BonD2E6tujKEZFK/Rpy2bB4xACM/Bo2Y9/w8ubsfaREvcA==
-----END CERTIFICATE-----
subject=
issuer=/DC=srf/CN=AC DN
---
Acceptable client certificate CA names
...
LIST OF DNs deleted from screen capture for security reasons
...
---
SSL handshake has read 5964 bytes and written 318 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : RC4-MD5
Session-ID:
180E00000D77AF6764CDEA8AD607E28BB8EF02028EBFB4F2C2C2CBEA354788FD
Session-ID-ctx:
Master-Key:
51434AA335DE806D5AC923D057A0A2C865B1D4FDCEB0CF6B3C7B148EA3187E0565B7559B10817BF81A93F79B1E34101E
Key-Arg : None
Start Time: 1228851254
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
>From the "subject=" line, one could see that the server certificate is
subjectless.
Do you think that's the reason why I couldnt' connect via python-ldap?
Thanks,
Alberto
|
|
From: Michael S. <mi...@st...> - 2008-12-10 14:02:10
|
Alberto Lopes wrote: > subject= > issuer=/DC=srf/CN=AC DN > [..] > From the "subject=" line, one could see that the server certificate is > subjectless. Why do you use such a invalid cert? Fix this. > Do you think that's the reason why I couldnt' connect via python-ldap? Yes. Ciao, Michael. |
|
From: Michael S. <mi...@st...> - 2008-12-16 16:27:04
|
Alberto Lopes wrote: > > I dunno if this message was best sent directly to you or posted on the > list; if so, please feel free to forward it. Please post to pyt...@li... (Cc:-ed). > Apparentely the "SSL server certificate with blank subject field" > problem doesn't end in reissuing the certificate, with a filled subject > field. Hmm...without seeing the certs and/or error messages I can't tell. > In the blog post > http://blogs.technet.com/askds/archive/2008/09/16/third-party-application-fails-using-ldap-over-ssl.aspx, > the author quotes the RFC 3280 (Internet X.509 PKI spec), in which it is > stated that when the SAN field is marked as critical and is used to > express the only identity to the subject, the subject field must be empty. Frankly, there are lots of interop issues regarding PKIX. You don't want to know all of them. So I wouldn't mark SAN extension critical and add the hostname in the CN attribute of subject name. > So, strictly speaking, a certificate with blank subject field can be > conformant to the RFC. In that sense, I think that openssl is already > conformant, since the "openssl -c" command doesn't give me an error > message. But maybe openLDAP or python-ldap is not conformant, for giving > me the error message I talked about in my first message. Does it work with the OpenLDAP command-line tools? If openssl s_client just works fine and the OpenLDAP command-line tool ldapsearch does not it would be good to raise this on the openldap-software mailing list. python-ldap itself does not do anything special. It just passes all paramaters to the OpenLDAP lib. Ciao, Michael. |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X