The OpenDS server on my laptop is using a self-signed cert. The trick to using StartTLS -- to avoid sending passwords over the network in clear text -- seems to be telling the underlying software to consider this self-signed cert as a CA cert.
Perhaps not safe for production, but seems to work for testing.
- Configure OpenDS to permit Start TLS.
Easiest way to do this is at install time with Quick Setup. - Bring up the OpenDS Control Panel.
- In the Control Panel Manage Entries window select Base DN: All Base DNs.
- Under cn=admin data > instance keys > ds-cfg-instance-key has a ds-cfg-public-key-certificate;binary attribute value, visible when you click Edit...
- Copy that server cert value.
- Save the server cert to a .pem file.
Adding the ...BEGIN... and ...END... lines and playing with the formatting gave me this.
C:\>more opends-cert.pem -----BEGIN CERTIFICATE----- MIIB3zCCAUigAwIBAgIESng5szANBgkqhkiG9w0BAQUFADA0MRswGQYDVQQKExJP cGVuRFMgQ2VydGlmaWNhdGUxFTATBgNVBAMTDEZSLU1DUkFJRy0wMTAeFw0wOTA4 MDQxMzM3NTVaFw0yOTA3MzAxMzM3NTVaMDQxGzAZBgNVBAoTEk9wZW5EUyBDZXJ0 aWZpY2F0ZTEVMBMGA1UEAxMMRlItTUNSQUlHLTAxMIGfMA0GCSqGSIb3DQEBAQUA A4GNADCBiQKBgQCNnnsxIx7dBdx79Ny7b9uptn+db6eu8qHoGDfaTBFOoEU+Sl7f AW9g3ArSD67kKkmTZnZl/uonSM7+1Mni32/7HyrEQvkZDr1DfndUDG8eVkaP1u/D XcZNPpEGizchFR+vXbCcA45KZFr54/JakdUAABxlevlfrhlo5N5sQH8HIQIDAQAB MA0GCSqGSIb3DQEBBQUAA4GBAErAmCUBeBvKCaL2wPeulPz0HoyumFfdC21LAid7 x2tq7EuniCBEiz1mt04sIRYB2iBKPOQ5uIcQXEpo4zllM1yIeCXretWFzr7EhzsF JlyZRJIaOe5IdkTm9XHENeLACveYd25QsUVClDTPVZHe0AOsH6X2xHQHMCIwSwuw 9pl4 -----END CERTIFICATE-----
- Tell the Python LDAP code to pretend the file contains a CA cert.
Here, make sure that the hostname you use is the same as in the cert.
>>> import ldap >>> ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER) >>> ldap.set_option(ldap.OPT_X_TLS_CACERTFILE,"C:\opends-cert.pem") >>> l = ldap.initialize("ldap://FR-MCRAIG-01:1389") >>> l.set_option(ldap.OPT_PROTOCOL_VERSION, 3) >>> l.set_option(ldap.OPT_X_TLS,ldap.OPT_X_TLS_DEMAND) >>> l.start_tls_s() >>> l.simple_bind_s('uid=kvaughan,ou=people,dc=example,dc=com','bribery') (97, []) >>> l.whoami_s() 'dn:uid=kvaughan,ou=People,dc=example,dc=com' >>>
If you cannot figure out what hostname is in the self-signed server cert, have a look with ldapsearch.
D:\SunOpenDS_SE2.0\bat>ldapsearch --useStartTLS -p 1389 -b dc=example,dc=com uid=bjensen The server is using the following certificate: Subject DN: CN=FR-MCRAIG-01, O=OpenDS Self-Signed Certificate Issuer DN: CN=FR-MCRAIG-01, O=OpenDS Self-Signed Certificate Validity: Tue Aug 04 15:35:44 CEST 2009 through Thu Aug 04 15:35:44 CEST 2011 Do you wish to trust this certificate and continue connecting to the server? Please enter "yes" or "no":yes dn: uid=bjensen,ou=People,dc=example,dc=com ...
