yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #23033
[Bug 1209343] Re: LDAP connection code does not provide ldap.set_option(ldap.OPT_X_TLS_CACERTFILE) for ldaps protocol
** Changed in: keystone/icehouse
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1209343
Title:
LDAP connection code does not provide
ldap.set_option(ldap.OPT_X_TLS_CACERTFILE) for ldaps protocol
Status in OpenStack Identity (Keystone):
Fix Released
Status in Keystone icehouse series:
Fix Released
Bug description:
The HP Enterprise Directory LDAP servers require a ca certificate file
for ldaps connections. Sample working Python code:
ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, "d:/etc/ssl/certs/hpca2ssG2_ns.cer")
ldap_client = ldap.initialize(host)
ldap_client.protocol_version = ldap.VERSION3
ldap_client.simple_bind_s(binduser,bindpw)
filter = '(uid=mark.m*)'
attrs = ['cn', 'mail', 'uid', 'hpStatus']
r = ldap_client.search_s(base, scope, filter, attrs)
for dn, entry in r:
print 'dn=', repr(dn)
for k in entry.keys():
print '\t', k, '=', entry[k]
The current H-2 " keystone/common/ldap/core.py" file only provides
this ldap.set_option for TLS connections. I have attached a picture of
a screen shot showing the change I had to make to file core.py to
enable the "ldap.set_option(ldap.OPT_X_TLS_CACERTFILE,
tls_cacertfile)" statement to also get executed for ldaps connections.
Basically I pulled the set_option code out of the "if tls_cacertfile:"
block.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1209343/+subscriptions