support for wildcard certficates
Hi, I have set up a ldap server with a wildcard certificate. Upon trying to establish a TLS connection using python ldap, I get the error "TLS: hostname does not match CN in peer certificate". This works fine if I use a certificate with the exact domain name. Is this a bug? Are there any known solutions to this? Looking forward to a response. Thanks, Rahul. P.S: "ldapwhoami" command establishes a TLS connection properly even when using a wild-card certificate. So I am assuming it might be a problem with python-ldap library. - Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08 ___ Python-LDAP-dev mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
Re: support for wildcard certficates
Rahul Amaram wrote: > I have set up a ldap server with a wildcard certificate. Upon trying to > establish a TLS connection using python ldap, I get the error "TLS: > hostname does not match CN in peer certificate". This works fine if I > use a certificate with the exact domain name. Is this a bug? Are there > any known solutions to this? Looking forward to a response. Well, personally I'd recommend not to use wildcard certs at all => I never tested anything like this. python-ldap simply relies on OpenLDAP libs which in turn rely on OpenSSL. Hmm, so this should be probably raised on the openldap-software mailing list. > P.S: "ldapwhoami" command establishes a TLS connection properly even > when using a wild-card certificate. So I am assuming it might be a > problem with python-ldap library. You might wanna dive into the source of ldapwhoami and look up which options they set. BTW: Are you sure that your local python-ldap installation uses the same OpenLDAP client libs like the ldapwhoami command-line tool? Ciao, Michael. - Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08 ___ Python-LDAP-dev mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
Re: support for wildcard certficates
Hi Michael, Thanks for the response. I think you have pointed to the correct problem. ldapwhoami seems to be using ldap library version 2.3.30 whereas python-ldap is probably using 2.1.30. And from this post http://www.openldap.org/lists/openldap-software/200504/msg00304.html it is evident that support for wildcart certificates has been incorporated in a version in between these two. Thanks a ton for the immediate response. Regards, Rahul. Michael Ströder wrote: > Rahul Amaram wrote: >> I have set up a ldap server with a wildcard certificate. Upon trying >> to establish a TLS connection using python ldap, I get the error >> "TLS: hostname does not match CN in peer certificate". This works >> fine if I use a certificate with the exact domain name. Is this a >> bug? Are there any known solutions to this? Looking forward to a >> response. > > Well, personally I'd recommend not to use wildcard certs at all > => I never tested anything like this. > > python-ldap simply relies on OpenLDAP libs which in turn rely on > OpenSSL. Hmm, so this should be probably raised on the > openldap-software mailing list. > >> P.S: "ldapwhoami" command establishes a TLS connection properly even >> when using a wild-card certificate. So I am assuming it might be a >> problem with python-ldap library. > > You might wanna dive into the source of ldapwhoami and look up which > options they set. BTW: Are you sure that your local python-ldap > installation uses the same OpenLDAP client libs like the ldapwhoami > command-line tool? > > Ciao, Michael. - Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08 ___ Python-LDAP-dev mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
