3

Connection to LDAP server fails through TLS connection

I am using Python 2.7 ldap module, and have tried connecting to an LDAP server with TLS enabled, but so far I have only run into many issues. When trying to debug the issue I get very little information back. Here is a simple script that I am testing with below 

import ldap

LDAP_SERVER = 'ldap://ldap.somedomain.com:389'
LDAP_BASE = 'ou=users,dc=ldap,dc=test,dc=com'

try:
    conn = ldap.initialize(LDAP_SERVER, bytes_mode=False)
    conn.set_option(ldap.OPT_REFERRALS, 0)
    conn.set_option(ldap.OPT_PROTOCOL_VERSION, 3)
    conn.set_option(ldap.OPT_X_TLS_CACERTFILE, "/path/to/cacert.pem")
    conn.set_option(ldap.OPT_X_TLS,ldap.OPT_X_TLS_DEMAND)
    conn.set_option(ldap.OPT_X_TLS_DEMAND, True)
    conn.set_option(ldap.OPT_DEBUG_LEVEL, 255)
    conn.start_tls_s()
except ldap.LDAPError, e:
    print e
    raise

print 'done'

When testing the script, an Exception is raised when the conn.start_tls_s line is executed. here is the error that is returned:

ldap.CONNECT_ERROR: {'info': u'(unknown error code)', 'errno': 2, 'desc': u'Connect error'}

Stack Trace:

File "/home/eric/Desktop/test_ldap.py", line 14, in <module>
    conn.start_tls_s()
  File "/usr/local/lib/python2.7/dist-packages/ldap/ldapobject.py", line 864, in start_tls_s
    return self._ldap_call(self._l.start_tls_s)
  File "/usr/local/lib/python2.7/dist-packages/ldap/ldapobject.py", line 329, in _ldap_call
    reraise(exc_type, exc_value, exc_traceback)
  File "/usr/local/lib/python2.7/dist-packages/ldap/ldapobject.py", line 313, in _ldap_call
    result = func(*args,**kwargs)

Note - Port 389 on my LDAP server is secure and accepts TLS connections, which is why the LDAP_SERVER is not set to ldaps://ldap.somedomain.com:636 in the example above.

I am also using an Ubuntu 14.04 virtual machine. Any ideas, and tips are greatly appreciated.

Eric
  • 229
  • 2
  • 10
  • Did you try from the command line from same host like with `ldapsearch` or even first just the TLS connection with `openssl s_client`? – Patrick Mevzek Sep 12 '19 at 21:27
  • Note `OPT_X_TLS_DEMAND` is a value for [ldap.OPT_X_TLS_REQUIRE_CERT](https://www.python-ldap.org/en/python-ldap-3.3.0/reference/ldap.html#ldap.OPT_X_TLS_REQUIRE_CERT), it is not an option as used in the example. – alls0rts Aug 08 '22 at 08:40

1 Answers1

3

Okay, so basically I needed to do a couple of things. I had to add a copy of the cacert.pem file, then edit an ldap.conf file, and then I was finally able to connect to the LDAP server with TLS.

If you do not have a cacert.pem file, then you may need to make one, or ask a network admin to get one if you don't know how. See the link below for details on Using Certificates: http://www.openldap.org/faq/data/cache/185.html

Since python-ldap is based on OpenLdap, then you may need to install some dependencies as stated here: I can't install python-ldap

If ldap is installed on Ubuntu, then you should see a file structure like this: 

/etc/ldap
    ldap.conf sasl2 schema slapd.d

I made a new directory in ldap called cacert, then added the cacert.pem file in there like so: /etc/ldap/cacert/cacert.pem

Then I edited ldap.conf with these changes below:

TLS_CACERT      /etc/ldap/cacert/cacert.pem
TLS_REQCERT     allow

After saving the ldap.conf, I tested the connection by entering the following in the terminal, and was finally able to connect and get results back from the server:

ldapsearch -H ldap://ldap.yourdomain.com -Z -x -D "cn=admin,dc=ldap,dc=test,dc=com" -w "P@ssWerd2LD@pP" -b "dc=ldap,dc=test,dc=com" uid=*

Then I tested my python script and was able to run it without raising any exceptions after starting TLS I hope this helps anyone else that is having trouble connecting to LDAP with TLS on Ubuntu

Eric
  • 229
  • 2
  • 10
  • 1
    I'm curious if this is the configuration you settled on. The `TLS_REQCERT allow` fixed my problem, but it concerns me. The OpenLDAP [docs](https://www.openldap.org/doc/admin21/tls.html) say this about it "there generally is no good reason to change this setting." – Schparky Dec 07 '20 at 22:52