Python LDAP StartTLS to OpenDS

Download OpenDSThe OpenDS server on my laptop is using a self-signed cert. The trick to using StartTLS -- to avoid sending passwords over the network in clear text -- seems to be telling the underlying software to consider this self-signed cert as a CA cert.

Perhaps not safe for production, but seems to work for testing.

  1. Configure OpenDS to permit Start TLS.
    Easiest way to do this is at install time with Quick Setup.
  2. Bring up the OpenDS Control Panel.
    1. In the Control Panel Manage Entries window select Base DN: All Base DNs.
    2. Under cn=admin data > instance keys > ds-cfg-instance-key has a ds-cfg-public-key-certificate;binary attribute value, visible when you click Edit...
    3. Copy that server cert value.
  3. Save the server cert to a .pem file.
    Adding the ...BEGIN... and ...END... lines and playing with the formatting gave me this.
    C:\\>more opends-cert.pem
    -----BEGIN CERTIFICATE-----
    MIIB3zCCAUigAwIBAgIESng5szANBgkqhkiG9w0BAQUFADA0MRswGQYDVQQKExJP
    cGVuRFMgQ2VydGlmaWNhdGUxFTATBgNVBAMTDEZSLU1DUkFJRy0wMTAeFw0wOTA4
    MDQxMzM3NTVaFw0yOTA3MzAxMzM3NTVaMDQxGzAZBgNVBAoTEk9wZW5EUyBDZXJ0
    aWZpY2F0ZTEVMBMGA1UEAxMMRlItTUNSQUlHLTAxMIGfMA0GCSqGSIb3DQEBAQUA
    A4GNADCBiQKBgQCNnnsxIx7dBdx79Ny7b9uptn+db6eu8qHoGDfaTBFOoEU+Sl7f
    AW9g3ArSD67kKkmTZnZl/uonSM7+1Mni32/7HyrEQvkZDr1DfndUDG8eVkaP1u/D
    XcZNPpEGizchFR+vXbCcA45KZFr54/JakdUAABxlevlfrhlo5N5sQH8HIQIDAQAB
    MA0GCSqGSIb3DQEBBQUAA4GBAErAmCUBeBvKCaL2wPeulPz0HoyumFfdC21LAid7
    x2tq7EuniCBEiz1mt04sIRYB2iBKPOQ5uIcQXEpo4zllM1yIeCXretWFzr7EhzsF
    JlyZRJIaOe5IdkTm9XHENeLACveYd25QsUVClDTPVZHe0AOsH6X2xHQHMCIwSwuw
    9pl4
    -----END CERTIFICATE-----
  4. Tell the Python LDAP code to pretend the file contains a CA cert.
    Here, make sure that the hostname you use is the same as in the cert.
    >>> import ldap
    >>> ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
    >>> ldap.set_option(ldap.OPT_X_TLS_CACERTFILE,"C:\\opends-cert.pem")
    >>> l = ldap.initialize("ldap://FR-MCRAIG-01:1389")
    >>> l.set_option(ldap.OPT_PROTOCOL_VERSION, 3)
    >>> l.set_option(ldap.OPT_X_TLS,ldap.OPT_X_TLS_DEMAND)
    >>> l.start_tls_s()
    >>> l.simple_bind_s('uid=kvaughan,ou=people,dc=example,dc=com','bribery')
    (97, [])
    >>> l.whoami_s()
    'dn:uid=kvaughan,ou=People,dc=example,dc=com'
    >>>

If you cannot figure out what hostname is in the self-signed server cert, have a look with ldapsearch.

D:\\SunOpenDS_SE2.0\\bat>ldapsearch --useStartTLS -p 1389 -b dc=example,dc=com uid=bjensen
The server is using the following certificate:
    Subject DN:  CN=FR-MCRAIG-01, O=OpenDS Self-Signed Certificate
    Issuer DN:  CN=FR-MCRAIG-01, O=OpenDS Self-Signed Certificate
    Validity:  Tue Aug 04 15:35:44 CEST 2009 through Thu Aug 04 15:35:44 CEST 2011
Do you wish to trust this certificate and continue connecting to the server?
Please enter "yes" or "no":yes
dn: uid=bjensen,ou=People,dc=example,dc=com
...
Comments:

Since this is primarily the first result in using OpenDS with python-ldap, I'll add this comment despite the age of the post. There's a much easier way to get the certificate out of the system:

keytool -keystore <OpenDS-Dir/config/keystore -export -alias server-cert -rfc -file /tmp/cert.pem

It'll throw a warning that can be ignored. No more munging of the file and getting base64decode errors if you mess up.

Posted by John E. Vincent on September 10, 2010 at 11:38 AM CEST #

Thanks for the sample code!

Posted by Mike Schwartz on November 20, 2010 at 08:27 AM CET #

Post a Comment:
  • HTML Syntax: NOT allowed
About

Mark Craig writes about Directory Services products and technologies. The views expressed on this blog are my own and do not necessarily reflect the views of Oracle.

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today