← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1209343] Re: LDAP connection code does not provide ldap.set_option(ldap.OPT_X_TLS_CACERTFILE) for ldaps protocol

 

** Changed in: keystone/icehouse
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1209343

Title:
  LDAP connection code does not provide
  ldap.set_option(ldap.OPT_X_TLS_CACERTFILE) for ldaps protocol

Status in OpenStack Identity (Keystone):
  Fix Released
Status in Keystone icehouse series:
  Fix Released

Bug description:
  The HP Enterprise Directory LDAP servers require a ca certificate file
  for ldaps connections. Sample working Python code:

          ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, "d:/etc/ssl/certs/hpca2ssG2_ns.cer")
          ldap_client = ldap.initialize(host)
          ldap_client.protocol_version = ldap.VERSION3

          ldap_client.simple_bind_s(binduser,bindpw)

          filter = '(uid=mark.m*)'
          attrs = ['cn', 'mail', 'uid', 'hpStatus']

          r = ldap_client.search_s(base, scope, filter, attrs)

          for dn, entry in r:
              print 'dn=', repr(dn)

              for k in entry.keys():
                  print '\t', k, '=', entry[k]

  The current H-2 " keystone/common/ldap/core.py" file only provides
  this ldap.set_option for TLS connections. I have attached a picture of
  a screen shot showing the change I had to make to file core.py to
  enable the "ldap.set_option(ldap.OPT_X_TLS_CACERTFILE,
  tls_cacertfile)" statement to also get executed for ldaps connections.
  Basically I pulled the set_option code out of the "if tls_cacertfile:"
  block.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1209343/+subscriptions