On Dec 23, 2009, at 3:00 PM, Wayne wrote:
> Hi,
>
> Many thanks for your reply.
>
> I did the test and it seemed that our network is working fine and I
> could telnet to the directory with "Connected" feedback. What other
> things we could try next?
>
Our next step is to work out how to make your connection work properly from
Python. Django-ldap-groups is basically a thin wrapper around python-ldap,
with added code to work with Django. So what we need to do next is establish a
connection to your LDAP server from a Python shell using python-ldap. Once we
have that connection working, we'll know what we need to change in the
ldap-groups code to make it work with Sun ONE, and/or your particular
environment.
I'm including a transcript of a python shell session. This session shows the
steps needed to make a working connection to a server, and is based on the flow
of events in the bind_ldap() method of eDirectoryGroupMembershipSSLBackend, in
ldap_groups/accounts/backends.py. It also shows the kind of error you'll
receive if the certificate you are trying to use is not correct:
Ralf:~ herndonp$ python
Python 2.6.1 (r261:67515, Jul 7 2009, 23:51:51)
[GCC 4.2.1 (Apple Inc. build 5646)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> import ldap
>>> ldap.set_option(ldap.OPT_X_TLS_CACERTFILE,'/Users/herndonp/Downloads/wrongcert.b64')
>>> l = ldap.initialize('ldaps://ldap.example.com:636')
>>> l.set_option(ldap.OPT_PROTOCOL_VERSION, 3)
>>> l.simple_bind_s('cn=fake_username,o=fake_org', 'fake_password')
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/Library/Python/2.6/site-packages/ldap/ldapobject.py", line 206, in
simple_bind_s
msgid = self.simple_bind(who,cred,serverctrls,clientctrls)
File "/Library/Python/2.6/site-packages/ldap/ldapobject.py", line 200, in
simple_bind
return
self._ldap_call(self._l.simple_bind,who,cred,EncodeControlTuples(serverctrls),EncodeControlTuples(clientctrls))
File "/Library/Python/2.6/site-packages/ldap/ldapobject.py", line 96, in
_ldap_call
result = func(*args,**kwargs)
ldap.SERVER_DOWN: {'info': 'error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed', 'desc': "Can't
contact LDAP server"}
>>>
I'm including the error because it is most likely the cause of the problem,
having eliminated connectivity. Getting the right certificate is not
straight-forward. You do not need the actual certificate of the LDAP server,
you need the trusted root certificate (including any intermediary signers) of
the certificate authority that issued the certificate used by the LDAP server.
If you do get the error above, or something similar, it might be useful to
confirm that there are no other problems connecting. If your LDAP server is
listening for *un*encrypted traffic, you may want to try the above steps
without encryption, just to see that you can connect successfully. An example
session:
Ralf:~ herndonp$ python
Python 2.6.1 (r261:67515, Jul 7 2009, 23:51:51)
[GCC 4.2.1 (Apple Inc. build 5646)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> import ldap
>>> l = ldap.initialize('ldap://pledir1.mskcc.org:389')
>>> l.set_option(ldap.OPT_PROTOCOL_VERSION, 3)
>>> l.simple_bind_s('cn=fake_user,o=fake_org', 'fake_password!')
(97, [])
>>>
If you do get that error, you will need to work with your LDAP admin to
identify the right certificate to export, export it as Base64 PEM encoded file,
and place it somewhere you can reference from Python.
Give that a try and let me know how it goes.
---Peter
--
You received this message because you are subscribed to the Google Groups
"Django users" group.
To post to this group, send email to django-us...@googlegroups.com.
To unsubscribe from this group, send email to
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en.
