-
Notifications
You must be signed in to change notification settings - Fork 265
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
LDAP3 TLS Cert verification failing #825
Comments
@cannatag Can you please update me on the above questions? |
This bug is opened almost 19 days back. Was expecting some update to move forward. |
sorry for being late.
Sorry for these brief answers, but SSL is not related to the ldap3 library but to the python interpreter you're using. Usually using the SSLContext helps because you have a configuration similar to that of your OS, but libraries remain different. bye, |
@pankysdomain Hi, has your problem been solved? Currently I have encountered the same problem as you. Can you provide me with your demo version of the code to study? Thank you very much; |
ldap3 package provides us a TLS object with these parameters
Tls(local_private_key_file, local_certificate_file, validate=ssl.CERT_REQUIRED, version=ssl.PROTOCOL_TLSv1, ca_certs_file)"
I have these questions . It would be helpful if you can give me point by point answer
Parameters "local_private_key_file" and "local_certificate_file" are optional fields if we have to just verify server certificate. They are only required if server is configured to ask for Client cert verification. Is my understanding correct?
For server cert verification, manadatory fields are "validate","version" and "ca_certs_file" ?
What is the format/extension expected for "ca_certs_file" ? Is it only b64 or cer,pem,pkcs12 format also acceptable?
if the server certificate has CRL configured, will that be verified also by ldap3 package? If yes, is there a way i can disable that?
When i run openssl verify command, it returns success "openssl verify -verbose -CAfile certnew.pem ldapserver.pem"
ldapserver.pem: OK
But when i specify the ca_cert_file in TLS object as "certnew.pem", like this
tls_configuration = Tls(validate=ssl.CERT_REQUIRED, version=ssl.PROTOCOL_TLSv1,ca_certs_file="certnew.pem")
exception socket ssl wrapping error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:727).
These are logged in extended logging
DEBUG:ldap3:BASIC:server <ldaps://parent-2k16.pcsqalab.net:636 - ssl> available at <[2, 1, 6, '', ('10.209.115.100', 636), None, None]>
DEBUG:ldap3:BASIC:server returned from Server Pool: <0>
DEBUG:ldap3:BASIC:obtained candidate address for <ldaps://parent-2k16.pcsqalab.net:636 - ssl>: <[2, 1, 6, '', ('10.209.115.100', 636)]> with mode IP_V6_PREFERRED
DEBUG:ldap3:BASIC:try to open candidate address [2, 1, 6, '', ('10.209.115.100', 636)]
DEBUG:ldap3:ERROR:<socket ssl wrapping error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:727)> for <ldaps://parent-2k16.pcsqalab.net:636 - ssl - user: cn=Administrator,cn=users,dc=pcsqalab,dc=net - not lazy - unbound - closed - <local: 10.204.48.215:49495 - remote: 10.209.115.100:636> - tls not started - not listening - SyncStrategy - pyasn1 decoder>
DEBUG:ldap3:ERROR:<socket ssl wrapping error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:727) ('10.209.115.100', 636)> for <ldaps://parent-2k16.pcsqalab.net:636 - ssl - user: cn=Administrator,cn=users,dc=pcsqalab,dc=net - not lazy - unbound - closed - <local: 10.204.48.215:49495 - remote: [None]:None> - tls not started - not listening - SyncStrategy - pyasn1 decoder>
The text was updated successfully, but these errors were encountered: