From daniel at corbe.net Wed Feb 19 16:24:12 2020 From: daniel at corbe.net (Daniel Corbe) Date: Wed, 19 Feb 2020 16:24:12 -0500 Subject: [python-ldap] LDAPS with self-signed certificates Message-ID: Hi, I'm trying to connect python-ldap to an LDAP server with a self-signed SSL certificate and I'm getting the following error. How do I tell python-ldap to either ignore or accept a self-signed certificate? Traceback (most recent call last): File "", line 1, in File "/Users/dcorbe/Library/Python/3.7/lib/python/site-packages/ldap/ldapobject.py", line 445, in simple_bind_s msgid = self.simple_bind(who,cred,serverctrls,clientctrls) File "/Users/dcorbe/Library/Python/3.7/lib/python/site-packages/ldap/ldapobject.py", line 439, in simple_bind return self._ldap_call(self._l.simple_bind,who,cred,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls)) File "/Users/dcorbe/Library/Python/3.7/lib/python/site-packages/ldap/ldapobject.py", line 331, in _ldap_call reraise(exc_type, exc_value, exc_traceback) File "/Users/dcorbe/Library/Python/3.7/lib/python/site-packages/ldap/compat.py", line 44, in reraise raise exc_value File "/Users/dcorbe/Library/Python/3.7/lib/python/site-packages/ldap/ldapobject.py", line 315, in _ldap_call result = func(*args,**kwargs) ldap.SERVER_DOWN: {'desc': "Can't contact LDAP server", 'errno': 2, 'info': 'SSLHandshake() failed: misc. bad certificate (-9825)'} From daniel at corbe.net Thu Feb 20 06:00:23 2020 From: daniel at corbe.net (Daniel Corbe) Date: Thu, 20 Feb 2020 06:00:23 -0500 Subject: [python-ldap] LDAPS with self-signed certificates In-Reply-To: References: Message-ID: You're incorrect. The LDAP server is available and listening on port 636, further, I can bind to it perfectly fine from the command line. I've also tested python-ldap against it on port 389. The error message is due to LDAPS presenting an invalid certificate to the client, as indicated by this part of the error message: 'info': 'SSLHandshake() failed: misc. bad certificate (-9825)'} On Thu, Feb 20, 2020 at 5:55 AM muzzol wrote: > > that message got nothing to do with SSL, server is just down. > > have you checked IP and port? can you do a simple ldapsearch to that server? > > mussol > > Missatge de Daniel Corbe del dia dj., 20 de febr. > 2020 a les 11:03: > > > > Hi, > > > > I'm trying to connect python-ldap to an LDAP server with a self-signed > > SSL certificate and I'm getting the following error. How do I tell > > python-ldap to either ignore or accept a self-signed certificate? > > > > Traceback (most recent call last): > > File "", line 1, in > > File "/Users/dcorbe/Library/Python/3.7/lib/python/site-packages/ldap/ldapobject.py", > > line 445, in simple_bind_s > > msgid = self.simple_bind(who,cred,serverctrls,clientctrls) > > File "/Users/dcorbe/Library/Python/3.7/lib/python/site-packages/ldap/ldapobject.py", > > line 439, in simple_bind > > return self._ldap_call(self._l.simple_bind,who,cred,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls)) > > File "/Users/dcorbe/Library/Python/3.7/lib/python/site-packages/ldap/ldapobject.py", > > line 331, in _ldap_call > > reraise(exc_type, exc_value, exc_traceback) > > File "/Users/dcorbe/Library/Python/3.7/lib/python/site-packages/ldap/compat.py", > > line 44, in reraise > > raise exc_value > > File "/Users/dcorbe/Library/Python/3.7/lib/python/site-packages/ldap/ldapobject.py", > > line 315, in _ldap_call > > result = func(*args,**kwargs) > > ldap.SERVER_DOWN: {'desc': "Can't contact LDAP server", 'errno': 2, > > 'info': 'SSLHandshake() failed: misc. bad certificate (-9825)'} > > _______________________________________________ > > python-ldap mailing list > > python-ldap at python.org > > https://mail.python.org/mailman/listinfo/python-ldap > > > > -- > ======================== > ^ ^ > O O > (_ _) > muzzol(a)muzzol.com > ======================== > No atribueixis qualitats humanes als ordinadors. > No els hi agrada. > ======================== > "El gobierno espa?ol s?lo habla con terroristas, homosexuales y > catalanes, a ver cuando se decide a hablar con gente normal" > Jim?nez Losantos > ======================== From dave at krondo.com Sat Feb 22 12:21:01 2020 From: dave at krondo.com (Dave Peticolas) Date: Sat, 22 Feb 2020 09:21:01 -0800 Subject: [python-ldap] LDAPS with self-signed certificates In-Reply-To: References: Message-ID: I think you want to use one of the TLS options: https://www.python-ldap.org/en/latest/reference/ldap.html#tls-options You could either turn off verification (insecure) or pass the location to the certificate you expect to validate against. On Thu, Feb 20, 2020 at 2:03 AM Daniel Corbe wrote: > > Hi, > > I'm trying to connect python-ldap to an LDAP server with a self-signed > SSL certificate and I'm getting the following error. How do I tell > python-ldap to either ignore or accept a self-signed certificate? > > Traceback (most recent call last): > File "", line 1, in > File "/Users/dcorbe/Library/Python/3.7/lib/python/site-packages/ldap/ldapobject.py", > line 445, in simple_bind_s > msgid = self.simple_bind(who,cred,serverctrls,clientctrls) > File "/Users/dcorbe/Library/Python/3.7/lib/python/site-packages/ldap/ldapobject.py", > line 439, in simple_bind > return self._ldap_call(self._l.simple_bind,who,cred,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls)) > File "/Users/dcorbe/Library/Python/3.7/lib/python/site-packages/ldap/ldapobject.py", > line 331, in _ldap_call > reraise(exc_type, exc_value, exc_traceback) > File "/Users/dcorbe/Library/Python/3.7/lib/python/site-packages/ldap/compat.py", > line 44, in reraise > raise exc_value > File "/Users/dcorbe/Library/Python/3.7/lib/python/site-packages/ldap/ldapobject.py", > line 315, in _ldap_call > result = func(*args,**kwargs) > ldap.SERVER_DOWN: {'desc': "Can't contact LDAP server", 'errno': 2, > 'info': 'SSLHandshake() failed: misc. bad certificate (-9825)'} > _______________________________________________ > python-ldap mailing list > python-ldap at python.org > https://mail.python.org/mailman/listinfo/python-ldap -- --Dave Peticolas