From michael at stroeder.com Sat Apr 2 08:14:43 2016 From: michael at stroeder.com (=?UTF-8?Q?Michael_Str=c3=b6der?=) Date: Sat, 2 Apr 2016 14:14:43 +0200 Subject: [python-ldap] pypy 5.0.1 seems to work Message-ID: <56FFB7B3.9060208@stroeder.com> HI! AFAICS pypy 5.0.1 is the first pypy release which fully supports all features of python-ldap (with SASL bind etc.). Ciao, Michael. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4245 bytes Desc: S/MIME Cryptographic Signature URL: From spichugi at redhat.com Thu Apr 7 08:05:35 2016 From: spichugi at redhat.com (Simon Pichugin) Date: Thu, 7 Apr 2016 14:05:35 +0200 Subject: [python-ldap] Server-side Sorting control lib Message-ID: <20160407120535.GB3627@spichugi.usersys.redhat.com> Hello, python-ldap community! My name is Simon. I am from Red Hat, Red Hat Directory Server team. I've started to work closely with python-ldap and I want to contribute to it. For a start, I want to make Server-side Sorting control lib better (Lib/ldap/controls/sss.py). I've copied it and have tested with 389 Directory Server and it works. Only one thing. For now it should be run like this (regarding 389ds): >>> s = SSSRequestControl(['-cn']) Not like it's mentioned in the doc string on line 51: >>> s = SSSRequestControl('-cn') Because then we have a problem on the line 70, where we will iterate through our rule string and divide it into chars. Also, I see "rule.split(':')" there on line 76. So we can either go this way with one string like 'cn:sn' or just put list of attributes there like ['cn', 'sn'] and add variable for reverse ordering posibility. And one more thing. I also want to add tests for this feature. So here comes the question. What does my course of action should look like if I want to help the project? Thanks, Simon P.S. as I see, sss.py is not in the setup.py now. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: not available URL: From michael at stroeder.com Thu Apr 7 16:20:15 2016 From: michael at stroeder.com (=?UTF-8?Q?Michael_Str=c3=b6der?=) Date: Thu, 7 Apr 2016 22:20:15 +0200 Subject: [python-ldap] Server-side Sorting control lib In-Reply-To: <20160407120535.GB3627@spichugi.usersys.redhat.com> References: <20160407120535.GB3627@spichugi.usersys.redhat.com> Message-ID: <5706C0FF.1050806@stroeder.com> Simon Pichugin wrote: > My name is Simon. I am from Red Hat, Red Hat Directory Server team. > I've started to work closely with python-ldap and I want to contribute > to it. > > For a start, I want to make Server-side Sorting control lib better > (Lib/ldap/controls/sss.py). I've copied it and have tested with > 389 Directory Server and it works. Contributions are highly appreciated. > Only one thing. For now it should be run like this (regarding 389ds): >>>> s = SSSRequestControl(['-cn']) > > Not like it's mentioned in the doc string on line 51: >>>> s = SSSRequestControl('-cn') > > Because then we have a problem on the line 70, where we will iterate > through our rule string and divide it into chars. > > Also, I see "rule.split(':')" there on line 76. So we can either go this way > with one string like 'cn:sn' or just put list of attributes there like > ['cn', 'sn'] and add variable for reverse ordering posibility. Noted. It seems my review was not thorough enough when I accepted this contribution. > And one more thing. I also want to add tests for this feature. Tests are welcome. > So here comes the question. What does my course of action should look like > if I want to help the project? Just send in a patch against CVS HEAD (as attachment). Or whole files are ok too. > P.S. as I see, sss.py is not in the setup.py now. Fixed in CVS HEAD. Ciao, Michael. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4245 bytes Desc: S/MIME Cryptographic Signature URL: From pspacek at redhat.com Wed Apr 20 06:38:33 2016 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 20 Apr 2016 12:38:33 +0200 Subject: [python-ldap] how to run tests Message-ID: <57175C29.8010908@redhat.com> Hello, is there some documentation about running tests in Tests/ subdirectory? I tried "python setup.py test" but it prints following text and does nothing: > defines: HAVE_SASL HAVE_TLS HAVE_LIBLDAP_R > extra_compile_args: -g > extra_objects: > include_dirs: /usr/include/sasl /usr/include > library_dirs: /usr/lib /usr/lib64 > libs: ldap_r > running test How do I know it does nothing? I've changed an assert in Tests/t_search.py:test_search_subtree() and it did not fail despite my sabotage. Apparently somebody else tried this too and failed: https://bugzilla.redhat.com/show_bug.cgi?id=1157426 So, what is the correct way of executing tests? Thank you! -- Petr Spacek @ Red Hat From raphael.barrois at m4x.org Wed Apr 20 11:23:53 2016 From: raphael.barrois at m4x.org (=?UTF-8?B?UmFwaGHDq2w=?= Barrois) Date: Wed, 20 Apr 2016 17:23:53 +0200 Subject: [python-ldap] how to run tests In-Reply-To: <57175C29.8010908@redhat.com> References: <57175C29.8010908@redhat.com> Message-ID: <20160420172353.7ecef051@ithor.polyconseil.fr> On Wed, 20 Apr 2016 12:38:33 +0200 Petr Spacek wrote: > Hello, > > is there some documentation about running tests in Tests/ subdirectory? > > I tried "python setup.py test" but it prints following text and does nothing: > > > defines: HAVE_SASL HAVE_TLS HAVE_LIBLDAP_R > > extra_compile_args: -g > > extra_objects: > > include_dirs: /usr/include/sasl /usr/include > > library_dirs: /usr/lib /usr/lib64 > > libs: ldap_r > > running test > > How do I know it does nothing? > > I've changed an assert in Tests/t_search.py:test_search_subtree() and it did > not fail despite my sabotage. > > > Apparently somebody else tried this too and failed: > https://bugzilla.redhat.com/show_bug.cgi?id=1157426 > > > So, what is the correct way of executing tests? > > Thank you! > Hi, I think you can change directory to ``Tests`` and execute ``./runtests.sh``. Regards, -- Rapha?l Barrois From pspacek at redhat.com Mon Apr 25 04:23:18 2016 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 25 Apr 2016 10:23:18 +0200 Subject: [python-ldap] how to run tests In-Reply-To: <20160420172353.7ecef051@ithor.polyconseil.fr> References: <57175C29.8010908@redhat.com> <20160420172353.7ecef051@ithor.polyconseil.fr> Message-ID: <571DD3F6.80409@redhat.com> On 20.4.2016 17:23, Rapha?l Barrois wrote: > On Wed, 20 Apr 2016 12:38:33 +0200 > Petr Spacek wrote: > >> Hello, >> >> is there some documentation about running tests in Tests/ subdirectory? >> >> I tried "python setup.py test" but it prints following text and does nothing: >> >>> defines: HAVE_SASL HAVE_TLS HAVE_LIBLDAP_R >>> extra_compile_args: -g >>> extra_objects: >>> include_dirs: /usr/include/sasl /usr/include >>> library_dirs: /usr/lib /usr/lib64 >>> libs: ldap_r >>> running test >> >> How do I know it does nothing? >> >> I've changed an assert in Tests/t_search.py:test_search_subtree() and it did >> not fail despite my sabotage. >> >> >> Apparently somebody else tried this too and failed: >> https://bugzilla.redhat.com/show_bug.cgi?id=1157426 >> >> >> So, what is the correct way of executing tests? >> >> Thank you! >> > > Hi, > > I think you can change directory to ``Tests`` and execute ``./runtests.sh``. I see, the file runtests.sh is in CVS but not in the distribution tarball. Could it be included in the tarball, please? Fedora tends to run tests during package build to make sure that everything is working together but this depends on having all the pieces in tarball. Thank you! -- Petr Spacek @ Red Hat From michael at stroeder.com Mon Apr 25 05:14:09 2016 From: michael at stroeder.com (=?UTF-8?Q?Michael_Str=c3=b6der?=) Date: Mon, 25 Apr 2016 11:14:09 +0200 Subject: [python-ldap] how to run tests In-Reply-To: <571DD3F6.80409@redhat.com> References: <57175C29.8010908@redhat.com> <20160420172353.7ecef051@ithor.polyconseil.fr> <571DD3F6.80409@redhat.com> Message-ID: <571DDFE1.8000301@stroeder.com> Petr Spacek wrote: > I see, the file runtests.sh is in CVS but not in the distribution tarball. > > Could it be included in the tarball, please? Hmm, this script would still need some love. But I'm very busy working on ?-DIR. Anyway I'd accept a patch to setup.py etc. to add the tests. Could you provide one? > Fedora tends to run tests during package build to make sure that everything is > working together but this depends on having all the pieces in tarball. Full ACK also for other distros but I'm currently to busy to do it. Ciao, Michael. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4245 bytes Desc: S/MIME Cryptographic Signature URL: From Manuel.Holtgrewe at bihealth.de Thu Apr 28 09:34:00 2016 From: Manuel.Holtgrewe at bihealth.de (Holtgrewe, Manuel) Date: Thu, 28 Apr 2016 13:34:00 +0000 Subject: [python-ldap] Problem with non-standard location of sasl.h Message-ID: Dear all, I have a problem with non-standard locations of sasl.h. My installation sets INCLUDE_PATH and LIBRARY_PATH that is normally interpreted by gcc. However, the LDAP setup.py overrides this. I'm using pyldap and tried to commit my patch there [1]. The pyldap people asked me to propose the change upstream (here). What do you think? Cheers, Manuel [1] https://github.com/pyldap/pyldap/pull/40/files -- Manuel Holtgrewe Bioinformatics Core Unit Berlin Institute of Health Phone: +49 30 450 543607 Postal Address: Chariteplatz 1, 10117 Berlin, Germany Visiting Address: Luisenstr. 56, 10117 Berlin, Germany -------------- next part -------------- An HTML attachment was scrubbed... URL: From zhbmaillistonly at gmail.com Tue May 17 00:31:10 2016 From: zhbmaillistonly at gmail.com (Zhang Huangbin) Date: Tue, 17 May 2016 12:31:10 +0800 Subject: [python-ldap] Possible bug of MOD_DELETE with OpenBSD ldapd as LDAP server Message-ID: Dear all, I run OpenBSD 5.9 (amd64) and its built-in ldapd[1] daemon as LDAP server. Let's say i have one ldap object with attribute/values like this: dn: ... enabledService: abc enabledService: def enabledService: ghi enabledService: jkl I run code below to delete just "enabledService=abc": conn.modify_s(dn, [(ldap.MOD_DELETE, 'enabledService', 'abc')]) It deletes all enabledService (this is not expected). Same code works fine with OpenLDAP. Is it a python-ldap issue or OpenBSD ldapd daemon? Thanks very much for your time. [1] ldapd: http://man.openbsd.org/OpenBSD-current/man8/ldapd.8 http://man.openbsd.org/ldapd.conf.5 From michael at stroeder.com Wed May 18 17:22:50 2016 From: michael at stroeder.com (=?UTF-8?Q?Michael_Str=C3=B6der?=) Date: Wed, 18 May 2016 23:22:50 +0200 Subject: [python-ldap] Possible bug of MOD_DELETE with OpenBSD ldapd as LDAP server In-Reply-To: References: Message-ID: On 2016-05-17 06:31, Zhang Huangbin wrote: > I run OpenBSD 5.9 (amd64) and its built-in ldapd[1] daemon as LDAP > server. Let's say i have one ldap object with attribute/values like > this: > > dn: ... > enabledService: abc > enabledService: def > enabledService: ghi > enabledService: jkl > > I run code below to delete just "enabledService=abc": > > conn.modify_s(dn, [(ldap.MOD_DELETE, 'enabledService', 'abc')]) > > It deletes all enabledService (this is not expected). Same code works > fine with OpenLDAP. > Is it a python-ldap issue or OpenBSD ldapd daemon? To me this sounds like a bug in OpenBSD ldapd daemon. Ciao, Michael. From marija.durdevic at medunigraz.at Wed Jun 1 10:20:50 2016 From: marija.durdevic at medunigraz.at (Durdevic, Marija) Date: Wed, 1 Jun 2016 14:20:50 +0000 Subject: [python-ldap] LDAP Authentication Message-ID: <2c859f2c15934beeb2db2ecd7d75c40f@si121.mugad.medunigraz.at> Dear all, I am trying to setup LDAP for my Galaxy web-app. Python-ldap file: https://github.com/galaxyproject/galaxy/blob/dev/lib/galaxy/auth/providers/ldap_ad.py My configuration file is: I changed configuration to : ldap '{email}'.endswith('@mycompany.com') True True False ldap://ldap. mycompany.com OPT_X_TLS_REQUIRE_CERT=OPT_X_TLS_ALLOW False True uid,mail (mail={email}) ou=pers,ou=usr,o=mcp {dn} {password} {uid} {mail} localdb true And error in log file is: galaxy.auth.providers.ldap_ad DEBUG 2016-06-01 15:13:28,135 LDAP authenticate: email is marija.durdevic at medunigraz.at galaxy.auth.providers.ldap_ad DEBUG 2016-06-01 15:13:28,136 LDAP authenticate: username is None galaxy.auth.providers.ldap_ad DEBUG 2016-06-01 15:13:28,136 LDAP authenticate: options are {'bind-user': '{dn}', 'search-fields': 'uid,mail', 'login-use-username': 'False', 'allow-register': 'True', 'ldap-options': 'OPT_X_TLS_REQUIRE_CERT=OPT_X_TLS_ALLOW', 'auto-register-email': '{mail}', 'server': 'ldap://ldap.mycompany.com', 'auto-register': 'True', 'search-base': 'ou=pers,ou=usr,o=mug', 'search-filter': '(mail={email})', 'continue-on-failure': 'True', 'auto-register-username': '{uid}', 'bind-password': '{password}', 'allow-password-change': 'False'} galaxy.auth.providers.ldap_ad DEBUG 2016-06-01 15:13:28,144 LDAP authenticate: Valid LDAP option pair OPT_X_TLS_REQUIRE_CERT=OPT_X_TLS_ALLOW -> 24582=3 galaxy.auth.providers.ldap_ad DEBUG 2016-06-01 15:13:28,160 LDAP authenticate: dn is cn=o_durdevic,ou=pers,ou=usr,o=mug galaxy.auth.providers.ldap_ad DEBUG 2016-06-01 15:13:28,160 LDAP authenticate: search attributes are {'mail': ['marija.durdevic at medunigraz.at'], 'uid': ['o_durdevic']} galaxy.auth.providers.ldap_ad WARNING 2016-06-01 15:13:28,169 LDAP authenticate: bind exception Traceback (most recent call last): File "lib/galaxy/auth/providers/ldap_ad.py", line 168, in authenticate whoami = l.whoami_s() File "/home/galaxy/galaxy/.venv/local/lib/python2.7/site-packages/ldap/ldapobject.py", line 641, in whoami_s return self._ldap_call(self._l.whoami_s,serverctrls,clientctrls) File "/home/galaxy/galaxy/.venv/local/lib/python2.7/site-packages/ldap/ldapobject.py", line 106, in _ldap_call result = func(*args,**kwargs) PROTOCOL_ERROR: {'info': 'Unrecognized extended operation', 'desc': 'Protocol error'} Any recommendation? Thanks in advance. Regards, Marija -------------- next part -------------- An HTML attachment was scrubbed... URL: From michael at stroeder.com Wed Jun 1 17:02:29 2016 From: michael at stroeder.com (=?UTF-8?Q?Michael_Str=c3=b6der?=) Date: Wed, 1 Jun 2016 23:02:29 +0200 Subject: [python-ldap] LDAP Authentication In-Reply-To: <2c859f2c15934beeb2db2ecd7d75c40f@si121.mugad.medunigraz.at> References: <2c859f2c15934beeb2db2ecd7d75c40f@si121.mugad.medunigraz.at> Message-ID: <574F4D65.7080201@stroeder.com> Durdevic, Marija wrote: > I am trying to setup LDAP for my Galaxy web-app. No idea what that is. > File "lib/galaxy/auth/providers/ldap_ad.py", line 168, in authenticate > > whoami = l.whoami_s() > > File "/home/galaxy/galaxy/.venv/local/lib/python2.7/site-packages/ldap/ldapobject.py", line 641, in whoami_s > > return self._ldap_call(self._l.whoami_s,serverctrls,clientctrls) > > File "/home/galaxy/galaxy/.venv/local/lib/python2.7/site-packages/ldap/ldapobject.py", line 106, in _ldap_call > > result = func(*args,**kwargs) > > PROTOCOL_ERROR: {'info': 'Unrecognized extended operation', 'desc': 'Protocol error'} The application invokes LDAPObject.whoami_s() but this particular LDAP server (which one?) does not know the Who Am I? extended operation (defined in RFC 4532). Ciao, Michael. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4245 bytes Desc: S/MIME Cryptographic Signature URL: From marija.durdevic at medunigraz.at Thu Jun 2 03:00:58 2016 From: marija.durdevic at medunigraz.at (Durdevic, Marija) Date: Thu, 2 Jun 2016 07:00:58 +0000 Subject: [python-ldap] LDAP Authentication In-Reply-To: <574F4D65.7080201@stroeder.com> References: <2c859f2c15934beeb2db2ecd7d75c40f@si121.mugad.medunigraz.at> <574F4D65.7080201@stroeder.com> Message-ID: <21ad14de240d48db9a1eb7d0023a4964@si121.mugad.medunigraz.at> Dear Michael, Thank you for the answer. Regards, Marija -----Original Message----- From: Michael Str?der [mailto:michael at stroeder.com] Sent: Wednesday, June 01, 2016 11:02 PM To: Durdevic, Marija; python-ldap at python.org Subject: Re: [python-ldap] LDAP Authentication Durdevic, Marija wrote: > I am trying to setup LDAP for my Galaxy web-app. No idea what that is. > File "lib/galaxy/auth/providers/ldap_ad.py", line 168, in authenticate > > whoami = l.whoami_s() > > File "/home/galaxy/galaxy/.venv/local/lib/python2.7/site-packages/ldap/ldapobject.py", line 641, in whoami_s > > return self._ldap_call(self._l.whoami_s,serverctrls,clientctrls) > > File "/home/galaxy/galaxy/.venv/local/lib/python2.7/site-packages/ldap/ldapobject.py", line 106, in _ldap_call > > result = func(*args,**kwargs) > > PROTOCOL_ERROR: {'info': 'Unrecognized extended operation', 'desc': 'Protocol error'} The application invokes LDAPObject.whoami_s() but this particular LDAP server (which one?) does not know the Who Am I? extended operation (defined in RFC 4532). Ciao, Michael. From dwmaillist at gmail.com Thu Jun 30 15:50:32 2016 From: dwmaillist at gmail.com (Daniel Watrous) Date: Thu, 30 Jun 2016 13:50:32 -0600 Subject: [python-ldap] Python LDAP TLS error when ldap.OPT_X_TLS_REQUIRE_CERT set to ldap.OPT_X_TLS_NEVER Message-ID: I'm getting a TLS error even after setting ldap.OPT_X_TLS_REQUIRE_CERT set to ldap.OPT_X_TLS_NEVER How can I tell python-ldap to not check certificates? I've posted this question to stackoverflow too. http://stackoverflow.com/questions/38130767/python-ldap-tls-error-when-ldap-opt-x-tls-require-cert-set-to-ldap-opt-x-tls-nev Thanks, Daniel -------------- next part -------------- An HTML attachment was scrubbed... URL: From dwmaillist at gmail.com Thu Jun 30 16:10:17 2016 From: dwmaillist at gmail.com (Daniel Watrous) Date: Thu, 30 Jun 2016 14:10:17 -0600 Subject: [python-ldap] Python LDAP TLS error when ldap.OPT_X_TLS_REQUIRE_CERT set to ldap.OPT_X_TLS_NEVER In-Reply-To: <57757B35.9020501@stroeder.com> References: <57757B35.9020501@stroeder.com> Message-ID: Michael, Since you're avoiding stackoverflow, you didn't see that I already did exactly what you suggest, but it's not working, hence my question. I figured I must be missing something. Copying over from stackoverflow for this list When using python-ldap I am setting ldap.OPT_X_TLS_REQUIRE_CERT set to ldap.OPT_X_TLS_NEVER, but I still get a TLS error. I've tried ldap.set_option and the version you see below. Both produce the same error. class adldap_connection: def __init__(self, configuration, secure): self.configuration = configuration self.secure = secure self.ldap_host_template = string.Template(self.configuration['host']) if self.secure: self.ldap_host = self.ldap_host_template.substitute(port=self.configuration['secure_port']) else: self.ldap_host = self.ldap_host_template.substitute(port=self.configuration['standard_port']) def __enter__(self): try: self.ld = ldap.initialize(self.ldap_host) if self.configuration['verify_ssl']['verify']: self.ld.set_option(ldap.OPT_X_TLS_CACERTFILE, self.configuration['verify_ssl']['use']) print "ldap.OPT_X_TLS_CACERTFILE = %d" % ldap.OPT_X_TLS_CACERTFILE else: self.ld.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER) print "ldap.OPT_X_TLS_REQUIRE_CERT = %d" % ldap.OPT_X_TLS_REQUIRE_CERT print "ldap.OPT_X_TLS_NEVER = %d" % ldap.OPT_X_TLS_NEVER #ldap.set_option(ldap.OPT_X_TLS_NEWCTX, 0) self.ld.simple_bind_s(self.configuration['binduser'], self.configuration['bindpassword']) except ldap.LDAPError, error_message: print "Couldn't Connect. %s " % error_message print "Using CA: %s" % self.configuration['verify_ssl']['use'] if (self.configuration['verify_ssl']['use']): print "File exists: %s" % os.path.exists(self.configuration['verify_ssl']['use']) return self.ld def __exit__(self, exc_type, exc_value, traceback): self.ld.unbind_s() I get this exception ldap.OPT_X_TLS_REQUIRE_CERT = 24582 ldap.OPT_X_TLS_NEVER = 0Couldn't Connect. {'info': "TLS error -8179:Peer's Certificate issuer is not recognized.", 'desc': "Can't contact LDAP server"} On Thu, Jun 30, 2016 at 2:04 PM, Michael Str?der wrote: > Daniel Watrous wrote: > > I'm getting a TLS error even after setting ldap.OPT_X_TLS_REQUIRE_CERT > set > > to ldap.OPT_X_TLS_NEVER > > You should always verify the server's cert. Otherwise the connection can be > hijacked with an active MITM attack. > > TLS options are set via LDAPObject.set_option() or globally via > ldap..set_option(). > > https://www.python-ldap.org/doc/html/ldap.html#ldap.LDAPObject.set_option > > https://www.python-ldap.org/doc/html/ldap.html#ldap.set_option > > See Demo/initialize.py in the source tar.gz. > > > How can I tell python-ldap to not check certificates? I've posted this > > question to stackoverflow too. > > I'm deliberately ignoring stackoverflow... > > Ciao, Michael. > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From michael at stroeder.com Thu Jun 30 16:04:05 2016 From: michael at stroeder.com (=?UTF-8?Q?Michael_Str=c3=b6der?=) Date: Thu, 30 Jun 2016 22:04:05 +0200 Subject: [python-ldap] Python LDAP TLS error when ldap.OPT_X_TLS_REQUIRE_CERT set to ldap.OPT_X_TLS_NEVER In-Reply-To: References: Message-ID: <57757B35.9020501@stroeder.com> Daniel Watrous wrote: > I'm getting a TLS error even after setting ldap.OPT_X_TLS_REQUIRE_CERT set > to ldap.OPT_X_TLS_NEVER You should always verify the server's cert. Otherwise the connection can be hijacked with an active MITM attack. TLS options are set via LDAPObject.set_option() or globally via ldap..set_option(). https://www.python-ldap.org/doc/html/ldap.html#ldap.LDAPObject.set_option https://www.python-ldap.org/doc/html/ldap.html#ldap.set_option See Demo/initialize.py in the source tar.gz. > How can I tell python-ldap to not check certificates? I've posted this > question to stackoverflow too. I'm deliberately ignoring stackoverflow... Ciao, Michael. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4245 bytes Desc: S/MIME Cryptographic Signature URL: From jdennis at redhat.com Thu Jun 30 17:06:26 2016 From: jdennis at redhat.com (John Dennis) Date: Thu, 30 Jun 2016 17:06:26 -0400 Subject: [python-ldap] Python LDAP TLS error when ldap.OPT_X_TLS_REQUIRE_CERT set to ldap.OPT_X_TLS_NEVER In-Reply-To: References: <57757B35.9020501@stroeder.com> Message-ID: On 06/30/2016 04:10 PM, Daniel Watrous wrote: > Michael, > > Since you're avoiding stackoverflow, you didn't see that I already did > exactly what you suggest, but it's not working, hence my question. I > figured I must be missing something. > > Copying over from stackoverflow for this list > > When using python-ldap I am setting ldap.OPT_X_TLS_REQUIRE_CERT set to > ldap.OPT_X_TLS_NEVER, but I still get a TLS error. I've tried > ldap.set_option and the version you see below. Both produce the same error. Requiring a client cert and validating a server cert are two different things. -- John From michael at stroeder.com Thu Jun 30 17:42:25 2016 From: michael at stroeder.com (=?UTF-8?Q?Michael_Str=c3=b6der?=) Date: Thu, 30 Jun 2016 23:42:25 +0200 Subject: [python-ldap] Python LDAP TLS error when ldap.OPT_X_TLS_REQUIRE_CERT set to ldap.OPT_X_TLS_NEVER In-Reply-To: References: <57757B35.9020501@stroeder.com> Message-ID: <57759241.80804@stroeder.com> Daniel Watrous wrote: > self.ld.set_option(ldap.OPT_X_TLS_CACERTFILE, > self.configuration['verify_ssl']['use']) > print "ldap.OPT_X_TLS_CACERTFILE = %d" % > ldap.OPT_X_TLS_CACERTFILE > else: > self.ld.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, > ldap.OPT_X_TLS_NEVER) > print "ldap.OPT_X_TLS_REQUIRE_CERT = %d" % > ldap.OPT_X_TLS_REQUIRE_CERT > print "ldap.OPT_X_TLS_NEVER = %d" % ldap.OPT_X_TLS_NEVER > #ldap.set_option(ldap.OPT_X_TLS_NEWCTX, 0) If you want to set connection-specific TLS parameters you must use self.ld.set_option(ldap.OPT_X_TLS_NEWCTX, 0) as last call to setoption() with TLS parameter. Ciao, Michael. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4245 bytes Desc: S/MIME Cryptographic Signature URL: