[LDAP][SSL] configuration issue with SSL

Greeting Team,

I am having an issue with connecting to ldaps with verify_cert: True. I tried with every possible certificates which is 2 of them and with no luck.

so i have a question related to this configuration

_ldap_config = {
    'uri': 'ldaps://{{ indico_ldap_server }}:636',
    'verify_cert': False,

if i set verify_cert false means it will ignore TLS but it will still owner SSL ?
I had a look at the code and this is what it seams if i sent verify_cert: False it will set

ldap_connection.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_DEMAND if settings['verify_cert'] else ldap.OPT_X_TLS_ALLOW

With false it will not try to verify the cert, meaning it’s encrypted but not resilient against MITM.

Okay, i want to make it verify_cert: True and i have tried with a number of certificates which works for other ldap clients but not this one. Is there a way to verify which certificate it’s expecting ?

Try pointing cert_file to a file containing the CA certificate that signed your LDAP server’s certificate.

I guess you can use openssl s_client (assuming ldaps is just plain TLS on top of LDAP) to connect to your LDAP server and see which certificate it sends…

Is there going to be a support for ldap.OPT_X_TLS_CACERTDIR

If you send a Pull Request for it I won’t be opposed to merging it (for the next flask-multipass version which will be released together with Indico 2.3 since it’s not fully backwards compatible).

However, I don’t see much benefit in it since pretty much and linux distro generates a single certificate bundle file from the directory containing all the different CA certificates.

You absolutely right. It should be a single pem file and that’s it. I will verify more and see what do i get.
Thanks for the support.

Btw i checked with openssl and i got a certificate i tried to use it but it still giving me same error.
MultipassException: The LDAP server is unreachable

Unfortunately python-ldap is incredibly bad at reporting useful errors (“server is unreachable” for certificate issues is already a major WTF), so good luck debugging this :confused:

The easiest way to go at it is probably with a small snippet in an ipython shell just trying to connect with the various options…