Andreas, sorry for my late reply. I'm quite busy at the moment.
Andreas Büsching wrote: > I've found a strange behaviour of python-ldap when working with TLS encrypted > connections. I'm not sure if this is a problem of the python bindings or of > libldap or in my head ;-) > > In my first scenario I was trying to set up a TLS encrypted connection with a > specific CA certificate that was set in the ldap.conf file (TLS_CACERT). > >>>> import ldap >>>> l = > ldap.ldapobject.SmartLDAPObject(uri='LDAP://qamaster.windom2008.univention.test:389', > > who='uid=Administrator,cn=users,DC=windom2008,DC=univention,DC=test',cred='univention', > > start_tls=2, tls_cacertfile='/etc/univention/ssl/ucsCA/CAcert.pem') >>>> l.started_tls > 0 > > In that case the connection is not encrypted. When I replace LDAP:// with > ldap:// in the URI the connection is encrypted. Well, that's because of the stupid handling in SmartLDAPObject.__init__(). Line 900 should check the lower-cased uri: if start_tls>0 and uri[:5].lower()=='ldap:': Well, SmartLDAPObject is not well tested nor documented and should probably be removed anyway... > In the second scenario I've tried to set up a TLS encrypted connection with a > CA certificate that was not set in the ldap.conf file. > >>>> l = > ldap.ldapobject.SmartLDAPObject(uri='ldap://win-64q6lq48z7a.windom2008.univention.test:389', > > who='cn=Administrator,cn=users,DC=windom2008,DC=univention,DC=test',cred='univention', > > start_tls=2, > tls_cacertfile='/etc/univention/connector/ad/ad_cert_20091221_153053.pem') > ... > ldap.CONNECT_ERROR: {'info': 'error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify > failed', 'desc': 'Connect error'} Well, tls_cacertfile is simply not used in SmartLDAPObject.__init__(). The reason is that OpenLDAP libs 2.3 were not able to set connection-specific SSL options. It should work with OpenLDAP 2.4 under some circumstances but I never got it working. => please either don't use SmartLDAPObject or contribute fixes for it Personally I'd vote for removing it. Ciao, Michael. ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com _______________________________________________ Python-LDAP-dev mailing list Python-LDAP-dev@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/python-ldap-dev