start TLS
Michael Ströder
michael at stroeder.com
Sun May 26 12:32:29 CEST 2002
David Margrave wrote:
>
> but I can't find any reference anywhere for how to configure a client with
> a local store of 'trusted root CA certificates'. This means that a
> man-in-the-middle attack is still possible.
You can set it globally.
ldap.set_option(ldap.OPT_X_TLS_CACERTFILE,'/etc/ssl.crt/cacerts.pem')
or
ldap.set_option(ldap.OPT_X_TLS_CACERTDIR,'/etc/ssl.crt')
I didn't succeed setting it for a specific LDAP connection but I
may have done something wrong.
> Can anyone provide a bit of insight? Maybe the python-ldap module could
> be made a bit more flexible than client apps like ldapsearch in this
> regard, say by giving the developer the option of providing certificate
> verification callbacks, etc.
IMHO we have to rely on what the OpenLDAP 2 libs are exposing.
Certificate validation is IMHO incomplete at the moment e.g. CRL
checking is not supported.
In theory OpenSSL's SSL context structure would allow to set such
a call-back function. But i doubt we can access that safely
through OpenLDAP's API.
Off course you're welcome to dig into this and find a better solution.
Ciao, Michael.
More information about the python-ldap
mailing list