Closed senfomat closed 1 year ago
Unfortunately, If OpenLDAP doesn't set a specific return value or set a diagnostic message, then I don't think it's possible to raise a specific error.
The raised exception is based on the LDAP error code (returned by an LDAP function call or set to the LDAP structure's corresponding field), and if additional diagnostic message is provided, then it's concatenated to the exception's error message.
TLS related errors are usually only shown in libldap's trace logs. You can set trace level logging with bonsai.set_debug(True, -1)
.
Ok, I agree, that this is an openldap-Libraryissue. So I'll close the issue.
But thanks for the hint to the trace-logs. There I can see the real error:
[...]
DBG: _ldap_bind (ld:0x7f3764000b60, info:0x1943560, ppolicy:0, result:(nil), msgid:0)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldap.domain.local:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.10.10.10:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
TLS: peer cert untrusted or revoked (0x42)
TLS: can't connect: (unknown error code).
ldap_msgfree
ldap_err2string
DBG: ldapconnectiter_dealloc (self:0x7f376a99a740)
[...]
Issue: I recently ran multiple times into the problem, that LDAP-connection-attempts were unsuccessful, because the server-certificates could not got verified. This was due to a lack of the corresponding CA-Certificate in the central CA-system-store (in our case Ubuntu Linux).
When I was tracking down these connection-problems, I had to do trial&error to nail it down to this certificate-thing. Because bonsai just raises
bonsai.errors.ConnectionError: Can't contact LDAP server. (unknown error code) (0xFFFF [-1])
.Is there a possibility to raise more specific exceptions on these SSL-related errors?
Setup:
Testscript:
Output:
(When I uncomment the line
client.set_cert_policy("allow")
in my code the connection gets successfully established.)