I require a Unix client to connect to a Windows Active Directory Server in
querying various Active Directory fields. The issue I am having at the
moment is making a secure connection over LDAPS (SSL). I can connect and
query fine over LDAP, but there seems to be an issue with establishing a
secure connection over SSL (OpenSSL 0.9.7e).
The script I am using is the following:
[code]
import sys
import ldap
ldap.set_option(ldap.OPT_DEBUG_LEVEL,255)
ldapmodule_trace_level = 1
ldapmodule_trace_file = sys.stderr
ldap.set_option(ldap.OPT_X_TLS_CACERTFILE,'myCert.cer')
try:
ld =
ldap.initialize('ldaps://ADserver.com:636/',trace_level=ldapmodule_trace_level,trace_file=ldapmodule_trace_file)
ld.bind_s('','',ldap.AUTH_SIMPLE)
print "Successfully bound to server.\n"
ld.unbind_s()
print "unbind"
except ldap.LDAPError, error_message:
print "Couldn't Connect. %s " % error_message
[/code]
Which generates the errror:
{'info': 'TLS: hostname does not match CN in peer certificate', 'desc':
"Can't contact LDAP server"}
Appending to the code the following line allows the connection to be made,
however the server certificate verification is ignored (and thus allowing
for 'man in the middle' attacks):
ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
The certificate we have installed on our Microsoft AD is one from IPSCA and
is an intermediate one - and works fine (tested using a VB script over port
636). I have downloaded both the Root and Intermediate certificate from the
IPSCA website for the Python code to point to, but get the error above. I
have run the command:
openssl s_client -debug -connect ADserver.com:636
Which results in (at the end):
Verify return code: 20 (unable to get local issuer certificate)
Running the same command but appending -CAfile and list each certificate I
end up with (after all the data):
"Verify return code: 0 (ok)" for the Root certificate
and:
"Verify return code: 20 (unable to get local issuer certificate)" for the
Intermediate certificate
Can someone please advise the steps I need to go through in providing the
Python code the right certificate, and also in what format (I have seen .pem
in other articles). Much of the information I have found relates to
connecting to openLDAP in Unix machines, not Unix machines connecting to
Microsoft AD (and not for authenticating, just querying fields). From my
understanding it should be as simple as pointing the Python code to a
certificate that it can verify the server certificate.
Also, using Novell’s 'Verify Certificate' tool from Windows XP and
retrieving the certificate issued by the AD server (in making a connection),
in one of the testing step results it mentions:
"Result: Host name on the certificate DOES NOT matches the DNS name of the
directory server"
TIA
--
View this message in context:
http://www.nabble.com/Unix-connecting-to-MS-AD-certificate-help-tf3510237.html#a9804943
Sent from the OpenSSL - User mailing list archive at Nabble.com.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
