Univention Bugzilla – Bug 54408
LDAP connection API change: set OPT_X_TLS_NEWCTX
Last modified: 2022-02-23 16:29:33 CET
Future versions of python-ldap require to set `OPT_X_TLS_NEWCTX` to `0` in order to establish a TLS connection. > Warning > > libldap does not materialize all TLS settings immediately. You must use OPT_X_TLS_NEWCTX with value 0 to instruct libldap to apply pending TLS settings and create a new internal TLS context: > > conn = ldap.initialize("ldap://ldap.example") > conn.set_option(ldap.OPT_X_TLS_CACERTFILE, '/path/to/ca.pem') > conn.set_option(ldap.OPT_X_TLS_NEWCTX, 0) > conn.start_tls_s() > conn.simple_bind_s(dn, password) https://www.python-ldap.org/en/python-ldap-3.3.0/reference/ldap.html#tls-options Otherwise a CONNECT_ERROR is raised and one is unable to use STARTTLS: ldap.CONNECT_ERROR: {'result': -11, 'desc': 'Connect error', 'ctrls': [], 'info': '(unknown error code)'} We should set this option already now because: * prevent errors during future upgrades * be able to use uldap.py in docker containers with more recent versions (e.g. in projects)
Successful build Package: univention-python Version: 13.0.2-6A~5.0.0.202202171908 Branch: ucs_5.0-0 Scope: errata5.0-1 Successful build Package: univention-ad-connector Version: 14.0.8-6A~5.0.0.202202171718 Branch: ucs_5.0-0 Scope: errata5.0-1 Successful build Package: ucs-test Version: 10.0.6-98A~5.0.0.202202171913 Branch: ucs_5.0-0 Scope: errata5.0-1 As the first comment states, future python-ldap versions (3.3.0 onwards) will require the option `OPT_X_TLS_NEWCTX` to be set for TLS encrypted LDAP connections whenever certain other TLS settings are set via set_option(). For example, after the `OPT_X_TLS_CACERTFILE` option is set, there has to be an additional set_option(ldap.OPT_X_TLS_NEWCTX, 0) for the corresponding LDAP connection. For further information on this please follow the link that was posted in the first comment. Branch: 5.0-1 dbe60ed10082504282d546ce6b36c84c3a33dd72
OK: ucs-test OK: univention-python OK: univention-ad-connector OK: I could not find any further usage in UCS or UCS@school OK: YAML univention-python.yaml 64a0ad767d57 | Bug #54408: yaml 52383652efc2 | Bug #54408: yamls dbe60ed10082 | Bug #54408: set OPT_X_TLS_NEWCTX option for TLS encrypted LDAP connections univention-python (13.0.2-6) c2ad17b546cf | Bug #54408: version bump univention-python (13.0.2-5) de741f5c40b3 | Bug #54408: fix syntax error dbe60ed10082 | Bug #54408: set OPT_X_TLS_NEWCTX option for TLS encrypted LDAP connections univention-ad-connector.yaml 52383652efc2 | Bug #54408: yamls dbe60ed10082 | Bug #54408: set OPT_X_TLS_NEWCTX option for TLS encrypted LDAP connections univention-ad-connector (14.0.8-6) dbe60ed10082 | Bug #54408: set OPT_X_TLS_NEWCTX option for TLS encrypted LDAP connections ucs-test (10.0.6-98) dbe60ed10082 | Bug #54408: set OPT_X_TLS_NEWCTX option for TLS encrypted LDAP connections
<https://errata.software-univention.de/#/?erratum=5.0x234> <https://errata.software-univention.de/#/?erratum=5.0x235>