LDAP connectivity issue with self-signed certificate

Question

LDAP connectivity issue with self-signed certificate

The code I'm using is:

# Create LDAPObject instance conn = ldap.initialize(url) conn.protocol_version=ldap.VERSION3 conn.simple_bind_s(binddn,bindpw) # This raises: # ldap.SERVER_DOWN: {'info': 'error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed', 'desc': "Can't contact LDAP server"}

When I use ldap: // instead of ldaps: //, it works correctly.

Can someone help me understand why this is?

Thanks.:)

+7

python ldap

user290043 Aug 16 '10 at 17:42

source share

4 answers

I came here to find a solution to my problem with this. This Q&A did not solve my exact problem, but others looking for my exact solution to the problem will find the following useful:

For those who use SSL / TLS for basic transport encryption and not for authentication (self-signed certificates), you simply disable strict server certificate verification:

 ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_ALLOW)

This is approximately the same as setting up the OpenLDAP 2.1+ client:

 tls_checkpeer no

+17

jblaine Jan 9 '12 at 21:52

source share

ignore certificate errors

 ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)

+6

navendu Feb 07 '14 at 14:37

source share

Try passing the following environment variable:

 LDAPTLS_REQCERT=never

to ignore the server certificate, which may be expired or invalid.

Cm:

Python Access Environment Variables
setting $ ENV {variable} when calling python

0

kenorb Jan 17 '14 at 16:32

source share

Mark · Accepted Answer · 2010-08-16T19:01:29+0000

I have never used python-ldap over SSL, but I believe that you need to tell ldap what checks should be done in the server certificate. If a requirement is specified for this parameter (which may be the default), you must provide it with valid certificates.

See initialize.py in the source demo directory.

LDAP connectivity issue with self-signed certificate

More articles: