Neither system(s) have any extra ca certs trusted. The code sets the ldap options to disable cert verification.
----- Original Message ----- From: Michael Ströder [mailto:mich...@stroeder.com] Sent: Monday, April 08, 2013 05:29 PM To: Gareth Walters (2K Australia); 704...@bugs.debian.org <704...@bugs.debian.org> Subject: Re: Bug#704939: python-ldap: ldaps connections fail Is the set of trusted CA certs exactly the same on both systems? Note that on Debian libldap is linked against GnuTLS. In this case the ldap.SERVER_DOWN exception does not contain a useful diagnostic message. When linking libldap against OpenSSL a message generated by OpenSSL is returned by libldap as diagnostic message. Ciao, Michael. Gareth Walters (2K Australia) wrote: > > Package: python-ldap > Version: 2.4.10-1 > Severity: important > > Dear Maintainer, > While trying to get a python scrip tof mine to work in Wheezy (have it > running in Squeeze and several other OSs) > I come across this error when using ldaps:// > > ldap.SERVER_DOWN: {'desc': "Can't contact LDAP server"} > The server is up and the same script is working on the Squeeze machine. > > Its talking to Windows AD 2008 R2 > > the minimal code to reproduce is; > import ldap > myldap=ldap.initialize("ldaps://xx.xx.xx.100") > myldap.bind_s('bindDN','bindPASS') > > but this works > import ldap > myldap=ldap.initialize("ldap://xx.xx.xx.100";) > myldap.bind_s('bindDN','bindPASS') > > Does not even get far enough to give a certificate error as would > notmally happen without allow unverified/trusted SSL cert. > > > Output when setting ldap debug on; > > ldap_create > ldap_url_parse_ext(ldaps://xx.xx.xx.105) > ldap_url_parse_ext(ldaps://xx.xx.xx.100) > ldap_sasl_bind > ldap_send_initial_request > ldap_new_connection 1 1 0 > ldap_int_open_connection > ldap_connect_to_host: TCP xx.xx.xx.100:636 > ldap_new_socket: 3 > ldap_prepare_socket: 3 > ldap_connect_to_host: Trying xx.xx.xx.100:636 > ldap_pvt_connect: fd: 3 tm: -1 async: 0 > ldap_int_open_connection > ldap_connect_to_host: TCP xx.xx.xx.105:636 > ldap_new_socket: 5 > ldap_prepare_socket: 5 > ldap_connect_to_host: Trying xx.xx.xx.105:636 > ldap_pvt_connect: fd: 5 tm: -1 async: 0 > ldap_err2string > Traceback (most recent call last): > File "./adauth.py", line 71, in <module> > > myldap.bind_s(config.get('ldap','bindDN'),config.get('ldap','bindPASS')) > File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 222, > in bind_s > msgid = self.bind(who,cred,method) > File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 216, > in bind > return self.simple_bind(who,cred) > File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 201, > in simple_bind > return > self._ldap_call(self._l.simple_bind,who,cred,RequestControlTuples(server > ctrls),RequestControlTuples(clientctrls)) > File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 99, > in _ldap_call > result = func(*args,**kwargs) > ldap.SERVER_DOWN: {'desc': "Can't contact LDAP server"} > > > > -- System Information: > Debian Release: 7.0 > APT prefers testing > APT policy: (500, 'testing') > Architecture: amd64 (x86_64) > > Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores) > Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8) > Shell: /bin/sh linked to /bin/dash > > Versions of packages python-ldap depends on: > ii libc6 2.13-38 > ii libldap-2.4-2 2.4.31-1 > ii python 2.7.3-4 > ii python2.7 2.7.3-6 > > python-ldap recommends no packages. > > Versions of packages python-ldap suggests: > pn python-ldap-doc <none> > pn python-pyasn1 <none> > > -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
