Re: Certificate checking on LDAP over SSL connection
Alberto Lopes wrote: > > From what I understood from the LDAPUserFolder code, it delegates the > SSL negotiation to the python-ldap library. And further down the delegation path: python-ldap -> OpenLDAP lib -> OpenSSL lib > How can I pass the > CAcertificate to the python-ldap layer in order to have it accepting the > server certificate? See Demo/initialize.py in python-ldap's source distribution. ldap.set_option(ldap.OPT_X_TLS_CACERTFILE,'/etc/httpd/ssl.crt/myCA-cacerts.pem') or ldap.set_option(ldap.OPT_X_TLS_CACERTDIR,'/etc/httpd/ssl.crt') In older versions of the OpenLDAP libs you can only set these options globally. Not sure about 2.4.8. I have no clue whether LDAPUserFolder makes it possible to set these options though. Ciao, Michael. -- SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can't happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/ ___ Python-LDAP-dev mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
Certificate checking on LDAP over SSL connection
Dear friends, I am using python-ldap indirectly, as a dependency for the LDAPUserFolder product for Zope. >From what I understood from the LDAPUserFolder code, it delegates the SSL negotiation to the python-ldap library. The problem is that when I try to make an LDAP connection over SSL (to a MS-AD server), I get a "invalid certificate" message. How can I pass the CAcertificate to the python-ldap layer in order to have it accepting the server certificate? I am using python-ldap in Windows, using the the OpenSSL and OpenLDAP DLLs that I got from http://python-ldap.sourceforge.net/download.shtml. Please help me. Best regards, Alberto -- SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can't happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/___ Python-LDAP-dev mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
Re: Certificate checking on LDAP over SSL connection
Dear Michael, Thank you for your answer.
Now, I'm working on making the zope python interpreter to be able to connect
to the LDAP server (over SSL), using the example in Demo/initizalize.py.
However I got stuck in a different problem.
When trying to connect, I followed this sequence of commands (changing the
/path/to/my/CAcert and : sequences):
import sys,ldap
ldap.set_option(ldap.OPT_DEBUG_LEVEL,255)
ldapmodule_trace_level = 1
ldapmodule_trace_file = sys.stderr
ldap.set_option(ldap.OPT_X_TLS_CACERTFILE,'/path/to/my/CAcert')
l =
ldap.initialize('ldaps://:',trace_level=ldapmodule_trace_level,trace_file=ldapmodule_trace_file)
l.protocol_version=ldap.VERSION3
l.bind_s('','',ldap.AUTH_SIMPLE)
Here, I got the following message:
ldap.SERVER_DOWN: {'info': 'TLS: unable to get CN from peer certificate',
'desc' : "Can't contact LDAP server"}
Point is, the LDAP server certificate doesn't have the "Subject" field;
instead, it uses the "Subject Alternate Name" field in the V3 Extensions.
Can anyone help me?
Best regards,
Alberto
On Tue, Dec 9, 2008 at 9:54 AM, Michael Ströder <[EMAIL PROTECTED]>wrote:
> Alberto Lopes wrote:
> >
> > From what I understood from the LDAPUserFolder code, it delegates the
> > SSL negotiation to the python-ldap library.
>
> And further down the delegation path:
> python-ldap -> OpenLDAP lib -> OpenSSL lib
>
> > How can I pass the
> > CAcertificate to the python-ldap layer in order to have it accepting the
> > server certificate?
>
> See Demo/initialize.py in python-ldap's source distribution.
>
>
> ldap.set_option(ldap.OPT_X_TLS_CACERTFILE,'/etc/httpd/ssl.crt/myCA-cacerts.pem')
>
> or
>
> ldap.set_option(ldap.OPT_X_TLS_CACERTDIR,'/etc/httpd/ssl.crt')
>
> In older versions of the OpenLDAP libs you can only set these options
> globally. Not sure about 2.4.8.
>
> I have no clue whether LDAPUserFolder makes it possible to set these
> options though.
>
> Ciao, Michael.
>
--
SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada.
The future of the web can't happen without you. Join us at MIX09 to help
pave the way to the Next Web now. Learn more and register at
http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/___
Python-LDAP-dev mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
Re: Certificate checking on LDAP over SSL connection
Alberto Lopes wrote:
> ldap.set_option(ldap.OPT_X_TLS_CACERTFILE,'/path/to/my/CAcert')
> l =
> ldap.initialize('ldaps://:',trace_level=ldapmodule_trace_level,trace_file=ldapmodule_trace_file)
>
> l.protocol_version=ldap.VERSION3
> l.bind_s('','',ldap.AUTH_SIMPLE)
>
> Here, I got the following message:
> ldap.SERVER_DOWN: {'info': 'TLS: unable to get CN from peer
> certificate', 'desc' : "Can't contact LDAP server"}
This is rather an OpenSSL issue maybe depending on the OpenSSL version
used to build OpenLDAP libs. I'd test that with
openssl s_client first:
openssl s_client -connect : -CAfile /path/to/my/CAcert
> Point is, the LDAP server certificate doesn't have the "Subject" field;
> instead, it uses the "Subject Alternate Name" field in the V3 Extensions.
Well, a cert MUST have a subject DN. It might be the case that it does
not have a CN attribute. IMHO it should.
Ciao, Michael.
--
SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada.
The future of the web can't happen without you. Join us at MIX09 to help
pave the way to the Next Web now. Learn more and register at
http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/
___
Python-LDAP-dev mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
Re: Certificate checking on LDAP over SSL connection
Michael, Here is what I got after the openssl s_client -connect : -CAfile /path/to/my/CAcert command: CONNECTED(0784) --- Certificate chain 0 s: i:/DC=srf/CN=AC DN --- Server certificate -BEGIN CERTIFICATE- MIIFjjCCBHagAwIBAgIKb11m+wACNzANBgkqhkiG9w0BAQUFADAzMRMwEQYK CZImiZPyLGQBGRYDc3JmMRwwGgYDVQQDExNSRkIgRW50ZXJwcmlzZSBDQTAyMB4X DTA4MTIwODEzNTUzOVoXDTA5MTIwODEzNTUzOVowADCBnzANBgkqhkiG9w0BAQEF CERTIFICATE VOIDED FOR SECURITY REASONS 4cT9LQqwIZImw43pkJOBb4SpAWgtRFp593ydbecZ3Kp8bGq7nLm5fhTazF0tuH7j mXj1Y2rkoucgDBDPTDRfIodpbmwiv85KdxVLjYbMwC6UZkJAnbyyZsJMnEV7gvIU aB8SRTjVy3I2L9qs+PE6VmFEj77s9GJ/uK6sQKe5r9wMhfumB9hhvINdiAZHjDrL BonD2E6tujKEZFK/Rpy2bB4xACM/Bo2Y9/w8ubsfaREvcA== -END CERTIFICATE- subject= issuer=/DC=srf/CN=AC DN --- Acceptable client certificate CA names ... LIST OF DNs deleted from screen capture for security reasons ... --- SSL handshake has read 5964 bytes and written 318 bytes --- New, TLSv1/SSLv3, Cipher is RC4-MD5 Server public key is 1024 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher: RC4-MD5 Session-ID: 180E0D77AF6764CDEA8AD607E28BB8EF02028EBFB4F2C2C2CBEA354788FD Session-ID-ctx: Master-Key: 51434AA335DE806D5AC923D057A0A2C865B1D4FDCEB0CF6B3C7B148EA3187E0565B7559B10817BF81A93F79B1E34101E Key-Arg : None Start Time: 1228851254 Timeout : 300 (sec) Verify return code: 0 (ok) --- >From the "subject=" line, one could see that the server certificate is subjectless. Do you think that's the reason why I couldnt' connect via python-ldap? Thanks, Alberto -- SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can't happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/___ Python-LDAP-dev mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
