[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
LDAP_OPT_X_TLS_NEWCTX
HI!
How is LDAP_OPT_X_TLS_NEWCTX set to LDAP_OPT_ON supposed to work?
I've added support for it in python-ldap to set connection-specific values for
LDAP_OPT_X_TLS_REQUIRE_CERT and LDAP_OPT_X_TLS_CACERTFILE.
Note: In python-ldap LDAP options can be set globally by invoking
ldap.set_option() or connection-specific with LDAPObject.set_option() which
both uses ldap_set_option() in libldap or libldap_r. A libldap constant
LDAP_OPT_FOO is mapped to a python-ldap constant ldap.OPT_FOO.
Python-code for testing looks like this:
---------------------------- snip ----------------------------
# Create LDAPObject instance
l = ldap.initialize('ldap://localhost:1390')
# Set LDAP protocol version used
l.protocol_version=ldap.VERSION3
# Force libldap to create a new SSL context
l.set_option(ldap.OPT_X_TLS_NEWCTX,ldap.OPT_ON)
# Force cert validation
l.set_option(ldap.OPT_X_TLS_REQUIRE_CERT,ldap.OPT_X_TLS_DEMAND)
# Set path name of file containing all trusted CA certificates
l.set_option(ldap.OPT_X_TLS_CACERTFILE,CACERTFILE)
# Now try StartTLS extended operation
l.start_tls_s()
# Try a bind to provoke failure if protocol version is not supported
l.simple_bind_s('','')
# Close connection
l.unbind_s()
---------------------------- snip ----------------------------
But this does not work. The CA cert file is not taken into account for
validating the server cert. Setting it globally with
ldap.set_option(ldap.OPT_X_TLS_CACERTFILE,CACERTFILE) works.
Ciao, Michael.