[SAC] Re: LDAP server migration this Saturday evening
Frank Warmerdam
warmerdam at pobox.com
Sun May 22 12:11:00 EDT 2011
On 11-05-21 05:43 PM, Martin Spott wrote:
> BUT: There's a couple of Python scripts in '/var/www/cgi-bin/' on
> 'osgeo1' which don't SSL-encrypt their LDAP connection. Does anyone
> know from memory how to SSL-enable this Python stuff ?
> I _seems_ to me that 'ldap.open(server)' works for unencrypted sessions
> only and 'ldap.initialize("ldaps://+server)' is the way to go for
> SSL-encryption - but I'm far from being certain .... mmmmh, seems that
> 'ldap.open' is deprecated anyway:
>
> http://www.python-ldap.org/doc/html/ldap.html
>
> Anyone ?
Martin,
I have check and _ldap.so is linked to SSL libraries which gives me hope.
I have tried tried:
>>> import ldap
>>> l = ldap.initialize( 'ldaps://ldap.osgeo.org' )
>>> print l
<ldap.ldapobject.SimpleLDAPObject instance at 0xb7ef4d4c>
>>> l.simple_bind_s('')
Traceback (most recent call last):
File "<stdin>", line 1, in ?
File "/usr/lib/python2.3/site-packages/ldap/ldapobject.py", line 175, in
simple_bind_s
msgid = self.simple_bind(who,cred,serverctrls,clientctrls)
File "/usr/lib/python2.3/site-packages/ldap/ldapobject.py", line 169, in
simple_bind
return self._ldap_call(self._l.simple_bind,who,cred,serverctrls,clientctrls)
File "/usr/lib/python2.3/site-packages/ldap/ldapobject.py", line 94, in
_ldap_call
result = func(*args,**kwargs)
ldap.SERVER_DOWN: {'info': 'error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed', 'desc': "Can't
contact LDAP server"}
>>>
The comments about "SSL3_GET_SERVER_CERTIFICATE" is a mystery to me, but
perhaps you have an idea?
I also notice that the userid/password challenge implemented for all cgi's
in /var/www/cgi-bin/auth does not seem to work any more. For instance
try visiting:
http://www.osgeo.org/cgi-bin/auth/ldap_web_search.py
This authentication is controlled by:
/etc/httpd/conf.d/osgeouserid.conf
<Directory /var/www/cgi-bin/auth>
SSLRequireSSL
AuthType Basic
AuthName "OSGeo"
AuthLDAPURL
ldaps://ldap.osgeo.org:636/ou=people,dc=osgeo,dc=org?uid?sub?(objectClass=*)
require valid-user
</Directory>
Best regards,
--
---------------------------------------+--------------------------------------
I set the clouds in motion - turn up | Frank Warmerdam, warmerdam at pobox.com
light and sound - activate the windows | http://pobox.com/~warmerdam
and watch the world go round - Rush | Geospatial Programmer for Rent
More information about the Sac
mailing list