0

I'm using the django authentication backend django-auth-ldap to authenticate against an LDAP service. When attempting to set the path to the directory containing the ssl certificate;

ldap.set_option(ldap.OPT_X_TLS_CACERTDIR, '/etc/ssl/certs')

I get a ValueError exception:

File "/Users/liz/web_application/work/ldap_settings.py", line 5, in <module>
ldap.set_option(ldap.OPT_X_TLS_CACERTDIR, '/etc/ssl/certs')

File "/Users/liz/.envs/dev/lib/python3.6/site-packages/ldap/functions.py", line 139, in set_option
return _ldap_function_call(None,_ldap.set_option,option,invalue)

File "/Users/liz/.envs/dev/lib/python3.6/site-packages/ldap/functions.py", line 66, in _ldap_function_call
result = func(*args,**kwargs)

ValueError: option error

I've tried the accepted answer from this previous SO post that suggests uninstalling python-ldap (though I'm using pyldap, a fork of python-ldap) and re-installing using a brew-installed openldap by running:

LDFLAGS="-L/usr/local/brew/opt/openldap/lib" CPPFLAGS="-I/usr/local/brew/opt/openldap/include" pip install python-ldap

This seemed to have no effect. I also followed this guide, to locally build a version of pyldap with the newer version of openldap (via brew), but I still see the same error. I'm not sure if there's some way I can verify my local build does use the newer openldap library, or if there's something I'm missing here? Any suggestions are much appreciated!

Other existing questions on SO

The answer to this question has no effect for me; setting AUTH_LDAP_GLOBAL_OPTIONS instead of set_option results in the same ValueError

AUTH_LDAP_GLOBAL_OPTIONS = {ldap.OPT_X_TLS_CACERTDIR: '/etc/ssl/certs'}
Liz
  • 1,421
  • 5
  • 21
  • 39
  • 1
    Check permissions for that folder. Can Django access it? – Marin Jun 26 '17 at 10:43
  • Yes, folder and contents are readable for all – Liz Jun 27 '17 at 01:03
  • I've traced it down and all it does is copy the given path to the option structure, but only if TLS is available in libldap. So there does seem to be a disconnect between python module and libldap. Could you show output of `ldd /usr/local/lib/python3.6/site-packages/_ldap.so` –  Jun 27 '17 at 14:51

1 Answers1

0

Ok I have some work about LDAP. So Ill provide my code for you if that helps you. First I put cert into django procject. 

BASE_DIR = Djando base dir

def returnPaths():
    return     {'dn_full_path': 'CN=Person,CN=Schema,CN=your_con,DC=your_dc,DC=your_dc',
                'cert': 'path_to_cert_file',
                'host': 'ldaps://x.x.x.:636'
                }

class LdapBackend(object):
    @classmethod
    def authenticate(cls, username=None, password=None):

        try:
            setup = returnPaths()

            ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
            ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, BASE_DIR + setup['cert'])

            domain = 'your_doman'
            l = ldap.initialize(setup['host'])
            l.set_option(ldap.OPT_REFERRALS, 0)
            l.set_option(ldap.OPT_PROTOCOL_VERSION, 3)
            l.set_option(ldap.OPT_X_TLS, ldap.OPT_X_TLS_DEMAND)
            l.set_option(ldap.OPT_X_TLS_DEMAND, True)

            try:
                l.simple_bind_s('%s@%s' % (str(username.encode('utf-8')), domain),
                                password.encode('utf-8'))
                return True
            except ldap.INVALID_CREDENTIALS as e:
                return False
            except Exception as e:
                return False
        except ldap.INVALID_CREDENTIALS as e:
            return False
Marin
  • 1,098
  • 14
  • 33