[Date Prev][Date Next] [Chronological] [Thread] [Top]

LDAP_OPT_X_TLS_NEWCTX



HI!

How is LDAP_OPT_X_TLS_NEWCTX set to LDAP_OPT_ON supposed to work?
I've added support for it in python-ldap to set connection-specific values for
 LDAP_OPT_X_TLS_REQUIRE_CERT and LDAP_OPT_X_TLS_CACERTFILE.

Note: In python-ldap LDAP options can be set globally by invoking
ldap.set_option() or connection-specific with LDAPObject.set_option() which
both uses ldap_set_option() in libldap or libldap_r. A libldap constant
LDAP_OPT_FOO is mapped to a python-ldap constant ldap.OPT_FOO.

Python-code for testing looks like this:

---------------------------- snip ----------------------------
# Create LDAPObject instance
l = ldap.initialize('ldap://localhost:1390')

# Set LDAP protocol version used
l.protocol_version=ldap.VERSION3
# Force libldap to create a new SSL context
l.set_option(ldap.OPT_X_TLS_NEWCTX,ldap.OPT_ON)
# Force cert validation
l.set_option(ldap.OPT_X_TLS_REQUIRE_CERT,ldap.OPT_X_TLS_DEMAND)
# Set path name of file containing all trusted CA certificates
l.set_option(ldap.OPT_X_TLS_CACERTFILE,CACERTFILE)

# Now try StartTLS extended operation
l.start_tls_s()

# Try a bind to provoke failure if protocol version is not supported
l.simple_bind_s('','')

# Close connection
l.unbind_s()
---------------------------- snip ----------------------------

But this does not work. The CA cert file is not taken into account for
validating the server cert. Setting it globally with
ldap.set_option(ldap.OPT_X_TLS_CACERTFILE,CACERTFILE) works.

Ciao, Michael.