start_tls = 2 is ignored with LDAP URIs starting with LDAP://

Michael Ströder michael at stroeder.com
Thu Feb 4 20:42:29 CET 2010 

Andreas,

sorry for my late reply. I'm quite busy at the moment.

Andreas Büsching wrote:
> I've found a strange behaviour of python-ldap when working with TLS encrypted 
> connections. I'm not sure if this is a problem of the python bindings or of 
> libldap or in my head ;-)
> 
> In my first scenario I was trying to set up a TLS encrypted connection with a 
> specific CA certificate that was set in the ldap.conf file (TLS_CACERT).
> 
>>>> import ldap
>>>> l = 
> ldap.ldapobject.SmartLDAPObject(uri='LDAP://qamaster.windom2008.univention.test:389', 
> who='uid=Administrator,cn=users,DC=windom2008,DC=univention,DC=test',cred='univention', 
> start_tls=2, tls_cacertfile='/etc/univention/ssl/ucsCA/CAcert.pem')
>>>> l.started_tls
> 0
> 
> In that case the connection is not encrypted. When I replace LDAP:// with 
> ldap:// in the URI the connection is encrypted.

Well, that's because of the stupid handling in SmartLDAPObject.__init__().
Line 900 should check the lower-cased uri:

    if start_tls>0 and uri[:5].lower()=='ldap:':

Well, SmartLDAPObject is not well tested nor documented and should probably be
removed anyway...

> In the second scenario I've tried to set up a TLS encrypted connection with a 
> CA certificate that was not set in the ldap.conf file.
> 
>>>> l = 
> ldap.ldapobject.SmartLDAPObject(uri='ldap://win-64q6lq48z7a.windom2008.univention.test:389', 
> who='cn=Administrator,cn=users,DC=windom2008,DC=univention,DC=test',cred='univention', 
> start_tls=2, 
> tls_cacertfile='/etc/univention/connector/ad/ad_cert_20091221_153053.pem')
> ...
> ldap.CONNECT_ERROR: {'info': 'error:14090086:SSL 
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify 
> failed', 'desc': 'Connect error'}

Well, tls_cacertfile is simply not used in SmartLDAPObject.__init__(). The
reason is that OpenLDAP libs 2.3 were not able to set connection-specific SSL
options. It should work with OpenLDAP 2.4 under some circumstances but I never
got it working.

=> please either don't use SmartLDAPObject or contribute fixes for it
Personally I'd vote for removing it.

Ciao, Michael.

More information about the python-ldap mailing list