start TLS

[Michael Ströder]

David Margrave wrote:
> 
> but I can't find any reference anywhere for how to configure a client with
> a local store of 'trusted root CA certificates'.  This means that a
> man-in-the-middle attack is still possible.

You can set it globally.

ldap.set_option(ldap.OPT_X_TLS_CACERTFILE,'/etc/ssl.crt/cacerts.pem')

or

ldap.set_option(ldap.OPT_X_TLS_CACERTDIR,'/etc/ssl.crt')

I didn't succeed setting it for a specific LDAP connection but I 
may have done something wrong.

> Can anyone provide a bit of insight?  Maybe the python-ldap module could
> be made a bit more flexible than client apps like ldapsearch in this
> regard, say by giving the developer the option of providing certificate
> verification callbacks, etc. 

IMHO we have to rely on what the OpenLDAP 2 libs are exposing. 
Certificate validation is IMHO incomplete at the moment e.g. CRL 
checking is not supported.

In theory OpenSSL's SSL context structure would allow to set such 
a call-back function. But i doubt we can access that safely 
through OpenLDAP's API.

Off course you're welcome to dig into this and find a better solution.

Ciao, Michael.