Clever Geek Handbook

Global parameters in python ldap

I played around with python ldap in the console and got results that I cannot explain. Hopefully someone can clarify this for me.

open a new python console

import ldap

certfile = '~/ad-server.test.loc.pem'
ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, certfile)

who = 'CN=Administrator,CN=Users,dc=test,dc=loc'
passwd = 'passwd'
sslserver = 'ldaps://ad-server.test.loc:636'

#let say I would like to disable certificate verification for the next connection
ldap.set_option(ldap.OPT_X_TLS_REQUIRECERT, ldap.OPT_X_TLS_ALLOW)
conn = ldap.initialize(server)
conn.simple_bind_s(who, passwd)

(97, [])

#connected successfully

#Now I want to enable certificate verification and try to connect again (this time I should
#fail because I use sef-signed certificate)

#Unbind connection

conn.unbind()
ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_DEMAND)
conn = ldap.initialize(server)

#Trying to connect

conn.simple_bind_s(who, passwd)

(97, [])


# it is also connected succesfully. Why?

Here is the question, I have enabled certificate validation so that it fails the connection attempt, but it connects successfully (I used a self-signed certificate, so the connection attempt should fail)?

Another example. Do the same, but in a different order.

open a new python console

import ldap

certfile = '~/ad-server.test.loc.pem'
ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, certfile)
who = 'CN=Administrator,CN=Users,dc=test,dc=loc'
passwd = 'passwd'
sslserver = 'ldaps://ad-server.test.loc:636'

#Trying to connect using selfsigned certificate

ldap.set_option(ldap.OPT_X_TLS_REQUIRECERT, ldap.OPT_X_TLS_DEMAND)
conn = ldap.initialize(server)
conn.simple_bind_s(who, passwd)
Traceback bla bla bla
ldap.SERVER_DOWN: {'info': 'error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed', 'desc': "Can't contact LDAP server"}

#Ok, let disable verefication and try again
conn.unbind()
ldap.set_option(ldap.OPT_X_TLS_REQUIRECERT, ldap.OPT_X_TLS_ALLOW)
conn = ldap.initialize(server)
conn.simple_bind_s(who, passwd)
Traceback bla bla bla
ldap.SERVER_DOWN: {'info': 'error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed', 'desc': "Can't contact LDAP server"}


# Even if I disabled verefication connection failed. Why? I expected a positive result.

Can someone explain this?

+3


source to share


1 answer


We just ran into a similar problem. Basically, all TLS parameters are set globally by default and are stored in the context object used by GNUTLS. When a connection is first created, that becomes a TLS context that will be used by all subsequent connections in this process.

To change this behavior, the most recent T20-related TLS call must be:



connection.set_option(ldap.OPT_X_TLS_NEWCTX, 0)

This is actually done in one of the python-ldap daemons .

+4


source






More articles:


All Articles