Global parameters in python ldap
I played around with python ldap in the console and got results that I cannot explain. Hopefully someone can clarify this for me.
open a new python console
import ldap
certfile = '~/ad-server.test.loc.pem'
ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, certfile)
who = 'CN=Administrator,CN=Users,dc=test,dc=loc'
passwd = 'passwd'
sslserver = 'ldaps://ad-server.test.loc:636'
#let say I would like to disable certificate verification for the next connection
ldap.set_option(ldap.OPT_X_TLS_REQUIRECERT, ldap.OPT_X_TLS_ALLOW)
conn = ldap.initialize(server)
conn.simple_bind_s(who, passwd)
(97, [])
#connected successfully
#Now I want to enable certificate verification and try to connect again (this time I should
#fail because I use sef-signed certificate)
#Unbind connection
conn.unbind()
ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_DEMAND)
conn = ldap.initialize(server)
#Trying to connect
conn.simple_bind_s(who, passwd)
(97, [])
# it is also connected succesfully. Why?
Here is the question, I have enabled certificate validation so that it fails the connection attempt, but it connects successfully (I used a self-signed certificate, so the connection attempt should fail)?
Another example. Do the same, but in a different order.
open a new python console
import ldap
certfile = '~/ad-server.test.loc.pem'
ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, certfile)
who = 'CN=Administrator,CN=Users,dc=test,dc=loc'
passwd = 'passwd'
sslserver = 'ldaps://ad-server.test.loc:636'
#Trying to connect using selfsigned certificate
ldap.set_option(ldap.OPT_X_TLS_REQUIRECERT, ldap.OPT_X_TLS_DEMAND)
conn = ldap.initialize(server)
conn.simple_bind_s(who, passwd)
Traceback bla bla bla
ldap.SERVER_DOWN: {'info': 'error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed', 'desc': "Can't contact LDAP server"}
#Ok, let disable verefication and try again
conn.unbind()
ldap.set_option(ldap.OPT_X_TLS_REQUIRECERT, ldap.OPT_X_TLS_ALLOW)
conn = ldap.initialize(server)
conn.simple_bind_s(who, passwd)
Traceback bla bla bla
ldap.SERVER_DOWN: {'info': 'error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed', 'desc': "Can't contact LDAP server"}
# Even if I disabled verefication connection failed. Why? I expected a positive result.
Can someone explain this?
source to share
We just ran into a similar problem. Basically, all TLS parameters are set globally by default and are stored in the context object used by GNUTLS. When a connection is first created, that becomes a TLS context that will be used by all subsequent connections in this process.
To change this behavior, the most recent T20-related TLS call must be:
connection.set_option(ldap.OPT_X_TLS_NEWCTX, 0)
This is actually done in one of the python-ldap daemons .
source to share