start_tls = 2 is ignored with LDAP URIs starting with LDAP://
Michael Ströder
michael at stroeder.com
Thu Feb 4 20:42:29 CET 2010
Andreas,
sorry for my late reply. I'm quite busy at the moment.
Andreas Büsching wrote:
> I've found a strange behaviour of python-ldap when working with TLS encrypted
> connections. I'm not sure if this is a problem of the python bindings or of
> libldap or in my head ;-)
>
> In my first scenario I was trying to set up a TLS encrypted connection with a
> specific CA certificate that was set in the ldap.conf file (TLS_CACERT).
>
>>>> import ldap
>>>> l =
> ldap.ldapobject.SmartLDAPObject(uri='LDAP://qamaster.windom2008.univention.test:389',
> who='uid=Administrator,cn=users,DC=windom2008,DC=univention,DC=test',cred='univention',
> start_tls=2, tls_cacertfile='/etc/univention/ssl/ucsCA/CAcert.pem')
>>>> l.started_tls
> 0
>
> In that case the connection is not encrypted. When I replace LDAP:// with
> ldap:// in the URI the connection is encrypted.
Well, that's because of the stupid handling in SmartLDAPObject.__init__().
Line 900 should check the lower-cased uri:
if start_tls>0 and uri[:5].lower()=='ldap:':
Well, SmartLDAPObject is not well tested nor documented and should probably be
removed anyway...
> In the second scenario I've tried to set up a TLS encrypted connection with a
> CA certificate that was not set in the ldap.conf file.
>
>>>> l =
> ldap.ldapobject.SmartLDAPObject(uri='ldap://win-64q6lq48z7a.windom2008.univention.test:389',
> who='cn=Administrator,cn=users,DC=windom2008,DC=univention,DC=test',cred='univention',
> start_tls=2,
> tls_cacertfile='/etc/univention/connector/ad/ad_cert_20091221_153053.pem')
> ...
> ldap.CONNECT_ERROR: {'info': 'error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
> failed', 'desc': 'Connect error'}
Well, tls_cacertfile is simply not used in SmartLDAPObject.__init__(). The
reason is that OpenLDAP libs 2.3 were not able to set connection-specific SSL
options. It should work with OpenLDAP 2.4 under some circumstances but I never
got it working.
=> please either don't use SmartLDAPObject or contribute fixes for it
Personally I'd vote for removing it.
Ciao, Michael.
More information about the python-ldap
mailing list