Certificate checking on LDAP over SSL connection
Michael Ströder
michael at stroeder.com
Tue Dec 9 20:15:10 CET 2008
Alberto Lopes wrote:
> ldap.set_option(ldap.OPT_X_TLS_CACERTFILE,'/path/to/my/CAcert')
> l = ldap.initialize('ldaps://<server>:<port>',trace_level=ldapmodule_trace_level,trace_file=ldapmodule_trace_file)
>
> l.protocol_version=ldap.VERSION3
> l.bind_s('','',ldap.AUTH_SIMPLE)
>
> Here, I got the following message:
> ldap.SERVER_DOWN: {'info': 'TLS: unable to get CN from peer
> certificate', 'desc' : "Can't contact LDAP server"}
This is rather an OpenSSL issue maybe depending on the OpenSSL version
used to build OpenLDAP libs. I'd test that with
openssl s_client first:
openssl s_client -connect <server>:<port> -CAfile /path/to/my/CAcert
> Point is, the LDAP server certificate doesn't have the "Subject" field;
> instead, it uses the "Subject Alternate Name" field in the V3 Extensions.
Well, a cert MUST have a subject DN. It might be the case that it does
not have a CN attribute. IMHO it should.
Ciao, Michael.
More information about the python-ldap
mailing list