Greeting Team,
I am having an issue with connecting to ldaps with verify_cert: True. I tried with every possible certificates which is 2 of them and with no luck.
so i have a question related to this configuration
_ldap_config = {
'uri': 'ldaps://{{ indico_ldap_server }}:636',
'verify_cert': False,
}
if i set verify_cert
false means it will ignore TLS but it will still owner SSL ?
I had a look at the code and this is what it seams if i sent verify_cert: False
it will set
ldap_connection.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_DEMAND if settings['verify_cert'] else ldap.OPT_X_TLS_ALLOW
With false it will not try to verify the cert, meaning it’s encrypted but not resilient against MITM.
Okay, i want to make it verify_cert: True
and i have tried with a number of certificates which works for other ldap clients but not this one. Is there a way to verify which certificate it’s expecting ?
Try pointing cert_file
to a file containing the CA certificate that signed your LDAP server’s certificate.
I guess you can use openssl s_client
(assuming ldaps is just plain TLS on top of LDAP) to connect to your LDAP server and see which certificate it sends…
Is there going to be a support for ldap.OPT_X_TLS_CACERTDIR
If you send a Pull Request for it I won’t be opposed to merging it (for the next flask-multipass version which will be released together with Indico 2.3 since it’s not fully backwards compatible).
However, I don’t see much benefit in it since pretty much and linux distro generates a single certificate bundle file from the directory containing all the different CA certificates.
You absolutely right. It should be a single pem file and that’s it. I will verify more and see what do i get.
Thanks for the support.
Btw i checked with openssl and i got a certificate i tried to use it but it still giving me same error.
MultipassException: The LDAP server is unreachable
Unfortunately python-ldap is incredibly bad at reporting useful errors (“server is unreachable” for certificate issues is already a major WTF), so good luck debugging this
The easiest way to go at it is probably with a small snippet in an ipython shell just trying to connect with the various options…