HI!
How is LDAP_OPT_X_TLS_NEWCTX set to LDAP_OPT_ON supposed to work? I've added support for it in python-ldap to set connection-specific values for LDAP_OPT_X_TLS_REQUIRE_CERT and LDAP_OPT_X_TLS_CACERTFILE.
Note: In python-ldap LDAP options can be set globally by invoking ldap.set_option() or connection-specific with LDAPObject.set_option() which both uses ldap_set_option() in libldap or libldap_r. A libldap constant LDAP_OPT_FOO is mapped to a python-ldap constant ldap.OPT_FOO.
Python-code for testing looks like this:
---------------------------- snip ---------------------------- # Create LDAPObject instance l = ldap.initialize('ldap://localhost:1390')
# Set LDAP protocol version used l.protocol_version=ldap.VERSION3 # Force libldap to create a new SSL context l.set_option(ldap.OPT_X_TLS_NEWCTX,ldap.OPT_ON) # Force cert validation l.set_option(ldap.OPT_X_TLS_REQUIRE_CERT,ldap.OPT_X_TLS_DEMAND) # Set path name of file containing all trusted CA certificates l.set_option(ldap.OPT_X_TLS_CACERTFILE,CACERTFILE)
# Now try StartTLS extended operation l.start_tls_s()
# Try a bind to provoke failure if protocol version is not supported l.simple_bind_s('','')
# Close connection l.unbind_s() ---------------------------- snip ----------------------------
But this does not work. The CA cert file is not taken into account for validating the server cert. Setting it globally with ldap.set_option(ldap.OPT_X_TLS_CACERTFILE,CACERTFILE) works.
Ciao, Michael.