Re: Certificate checking on LDAP over SSL connection

[Michael Ströder]

Alberto Lopes wrote:
> 
> I dunno if this message was best sent directly to you or posted on the
> list; if so, please feel free to forward it.

Please post to python-ldap-dev@lists.sourceforge.net (Cc:-ed).

> Apparentely the "SSL server certificate with blank subject field"
> problem doesn't end in reissuing the certificate, with a filled subject
> field.

Hmm...without seeing the certs and/or error messages I can't tell.

> In the blog post
> http://blogs.technet.com/askds/archive/2008/09/16/third-party-application-fails-using-ldap-over-ssl.aspx,
> the author quotes the RFC 3280 (Internet X.509 PKI spec), in which it is
> stated that when the SAN field is marked as critical and is used to
> express the only identity to the subject, the subject field must be empty.

Frankly, there are lots of interop issues regarding PKIX. You don't want
to know all of them. So I wouldn't mark SAN extension critical and add
the hostname in the CN attribute of subject name.

> So, strictly speaking, a certificate with blank subject field can be
> conformant to the RFC. In that sense, I think that openssl is already
> conformant, since the "openssl -c" command doesn't give me an error
> message. But maybe openLDAP or python-ldap is not conformant, for giving
> me the error message I talked about in my first message.

Does it work with the OpenLDAP command-line tools? If openssl s_client
just works fine and the OpenLDAP command-line tool ldapsearch does not
it would be good to raise this on the openldap-software mailing list.

python-ldap itself does not do anything special. It just passes all
paramaters to the OpenLDAP lib.

Ciao, Michael.

--
SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada.
The future of the web can't happen without you.  Join us at MIX09 to help
pave the way to the Next Web now. Learn more and register at
http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/
___
Python-LDAP-dev mailing list
Python-LDAP-dev@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/python-ldap-dev

minor errors in the docstring of dsml.py

[Yves Dorfsman]

There are minor errors in the doc string of dsm.py, such as:

  |  input_file
  |  File-object to read the LDIF input from

Which obviously has been copied from the ldif.py.

What's the best way to correct it ? Can sombody with the right permissions 
change it, or submitting a patch file ?


-- 
Yves.
http://www.sollers.ca/blog



--
SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada.
The future of the web can't happen without you.  Join us at MIX09 to help
pave the way to the Next Web now. Learn more and register at
http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/
___
Python-LDAP-dev mailing list
Python-LDAP-dev@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/python-ldap-dev

DSMLParser example

[Yves Dorfsman]

Is there a simple example for dsml.DSMLParser() somewhere ?

I am trying to use it, but getting errors. The documentation does not 
explain what "ContentHandlerClass" is supposed to be.

I have tried:
x = dsml.DSMLParser(input_file, dsml.DSMLv1Handler)

But eventually it fails with an HTTP 404 error...


Thanks.

-- 
Yves.
http://www.sollers.ca/blog/2008/swappiness
http://www.sollers.ca/blog/2008/swappiness/.fr


--
SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada.
The future of the web can't happen without you.  Join us at MIX09 to help
pave the way to the Next Web now. Learn more and register at
http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/
___
Python-LDAP-dev mailing list
Python-LDAP-dev@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/python-ldap-dev