[Date Prev][Date Next] [Chronological] [Thread] [Top]

LDAP_OPT_X_TLS_NEWCTX

To: openldap-software@OpenLDAP.org
Subject: LDAP_OPT_X_TLS_NEWCTX
From: Michael Ströder <michael@stroeder.com>
Date: Tue, 29 Sep 2009 19:07:51 +0200
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.23) Gecko/20090823 SeaMonkey/1.1.18

HI!

How is LDAP_OPT_X_TLS_NEWCTX set to LDAP_OPT_ON supposed to work?
I've added support for it in python-ldap to set connection-specific values for
 LDAP_OPT_X_TLS_REQUIRE_CERT and LDAP_OPT_X_TLS_CACERTFILE.

Note: In python-ldap LDAP options can be set globally by invoking
ldap.set_option() or connection-specific with LDAPObject.set_option() which
both uses ldap_set_option() in libldap or libldap_r. A libldap constant
LDAP_OPT_FOO is mapped to a python-ldap constant ldap.OPT_FOO.

Python-code for testing looks like this:

---------------------------- snip ----------------------------
# Create LDAPObject instance
l = ldap.initialize('ldap://localhost:1390')

# Set LDAP protocol version used
l.protocol_version=ldap.VERSION3
# Force libldap to create a new SSL context
l.set_option(ldap.OPT_X_TLS_NEWCTX,ldap.OPT_ON)
# Force cert validation
l.set_option(ldap.OPT_X_TLS_REQUIRE_CERT,ldap.OPT_X_TLS_DEMAND)
# Set path name of file containing all trusted CA certificates
l.set_option(ldap.OPT_X_TLS_CACERTFILE,CACERTFILE)

# Now try StartTLS extended operation
l.start_tls_s()

# Try a bind to provoke failure if protocol version is not supported
l.simple_bind_s('','')

# Close connection
l.unbind_s()
---------------------------- snip ----------------------------

But this does not work. The CA cert file is not taken into account for
validating the server cert. Setting it globally with
ldap.set_option(ldap.OPT_X_TLS_CACERTFILE,CACERTFILE) works.

Ciao, Michael.

Prev by Date: Write, then read & mirror-mode
Next by Date: Re: Write, then read & mirror-mode
Index(es):
- Chronological
- Thread