global options in python ldap

Question

I was playing with python ldap in console and got results which I can't explain. Hope somebody can clarify this for me.

open new python console

import ldap

certfile = '~/ad-server.test.loc.pem'
ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, certfile)

who = 'CN=Administrator,CN=Users,dc=test,dc=loc'
passwd = 'passwd'
sslserver = 'ldaps://ad-server.test.loc:636'

#let's say I would like to disable certificate verification for the next connection
ldap.set_option(ldap.OPT_X_TLS_REQUIRECERT, ldap.OPT_X_TLS_ALLOW)
conn = ldap.initialize(server)
conn.simple_bind_s(who, passwd)

(97, [])

#connected successfully

#Now I want to enable certificate verification and try to connect again (this time I should
#fail because I use sef-signed certificate)

#Unbind connection

conn.unbind()
ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_DEMAND)
conn = ldap.initialize(server)

#Trying to connect

conn.simple_bind_s(who, passwd)

(97, [])


# it is also connected succesfully. Why?

Here is a question, I turned on certificate verification so it should finish connection attempt with error but it did connection successfully ( I used self-signed certificate that is why attempt to connect should fail) ?

Another example. Do the same things but in different order

open new python console

import ldap

certfile = '~/ad-server.test.loc.pem'
ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, certfile)
who = 'CN=Administrator,CN=Users,dc=test,dc=loc'
passwd = 'passwd'
sslserver = 'ldaps://ad-server.test.loc:636'

#Trying to connect using selfsigned certificate

ldap.set_option(ldap.OPT_X_TLS_REQUIRECERT, ldap.OPT_X_TLS_DEMAND)
conn = ldap.initialize(server)
conn.simple_bind_s(who, passwd)
Traceback bla bla bla
ldap.SERVER_DOWN: {'info': 'error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed', 'desc': "Can't contact LDAP server"}

#Ok, let's disable verefication and try again
conn.unbind()
ldap.set_option(ldap.OPT_X_TLS_REQUIRECERT, ldap.OPT_X_TLS_ALLOW)
conn = ldap.initialize(server)
conn.simple_bind_s(who, passwd)
Traceback bla bla bla
ldap.SERVER_DOWN: {'info': 'error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed', 'desc': "Can't contact LDAP server"}


# Even if I disabled verefication connection failed. Why? I expected a positive result.

Can anybody explain this?

Answer 1

We just ran in to a similar problem. Basically, all of the TLS options are set globally by default and stored in a context object used by GNUTLS. The first time a connection is created, that becomes the TLS context that will be used by all subsequent connections in that process.

To change this behavior, the very last TLS-related set_option call you make should be:

connection.set_option(ldap.OPT_X_TLS_NEWCTX, 0)

This is actually done in one of the python-ldap demos.