Skip to content

ValueError exception trying to set_option OPT_X_TLS_CACERTFILE in Mac OS #301

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
shubb30 opened this issue Sep 5, 2019 · 5 comments · Fixed by #338
Closed

ValueError exception trying to set_option OPT_X_TLS_CACERTFILE in Mac OS #301

shubb30 opened this issue Sep 5, 2019 · 5 comments · Fixed by #338
Labels
help wanted
Milestone
3.3

Comments

@shubb30
Copy link

shubb30 commented Sep 5, 2019

Mac OS 10.14.6
Python 3.7.2
python-ldap 3.2.0

Issue description:

On Mac OS, trying to set the OPT_X_TLS_CACERTFILE option raises a ValueError.

Steps to reproduce:

$ python
Python 3.7.2 (default, Feb 12 2019, 08:16:38)
[Clang 10.0.0 (clang-1000.11.45.5)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> import ldap
>>> l = ldap.initialize("ldaps://server")
>>> l.set_option(ldap.OPT_X_TLS_CACERTFILE, "/path/to/file")
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/local/lib/python3.7/site-packages/ldap/ldapobject.py", line 921, in set_option
    return self._ldap_call(self._l.set_option,option,invalue)
  File "/usr/local/lib/python3.7/site-packages/ldap/ldapobject.py", line 315, in _ldap_call
    result = func(*args,**kwargs)
ValueError: option error
>>>

Doing the same thing in a Docker container running Python 3.7.3 does not have the problem.

# python
Python 3.7.3 (default, Mar 27 2019, 23:51:31)
[GCC 6.4.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import ldap
>>> l = ldap.initialize("ldaps://server")
>>> l.set_option(ldap.OPT_X_TLS_CACERTFILE, "/path/to/file")
>>>
@jfarshankar
Copy link

The openldap which comes bundled with OSX seems to be the issue. Based on the instructions here(https://stackoverflow.com/a/43450931) I tried using homebrew to install openldap and then building the package with that, but I could not get it to work. Finally i tried installing python-ldap with conda and it just worked.

@quanah
Copy link
Contributor

quanah commented Feb 20, 2020

The OSX version of OpenLDAP is hacked to build against a custom Apple written TLS library. I don't know what option(s) it allows for the TLS CA certificate to be set.

@quanah
Copy link
Contributor

quanah commented Feb 20, 2020

Per the Apple written man page, it looks like ldap.conf wants "TLS_TRUSTED_CERTS" to be set, so I'm guessing they have an analogous option for setting this directly as well. You'd need to track down their source tree to discover exactly what they named it.

tiran added a commit to tiran/python-ldap that referenced this issue May 30, 2020
@tiran
Document that TLS options are backend specific
2d9f647 
Fixes: python-ldap#301
@tiran tiran mentioned this issue May 30, 2020
Merged
encukou pushed a commit that referenced this issue Jun 5, 2020
@tiran
Document that TLS options are backend specific
f8f10a9 
#338

Fixes: #301
@tiran tiran added this to the 3.3 milestone Jun 5, 2020
@intgr intgr mentioned this issue May 14, 2021
Open
@sara1068
Copy link

sara1068 commented May 3, 2024

The openldap which comes bundled with OSX seems to be the issue. Based on the instructions here(https://stackoverflow.com/a/43450931) I tried using homebrew to install openldap and then building the package with that, but I could not get it to work. Finally i tried installing python-ldap with conda and it just worked.

Got my program to accept the certificate (although just a start), after debugging for hours. Thanks a lot

@quanah
Copy link
Contributor

quanah commented May 3, 2024

If you got it working using the native OSX ldap libraries, it would be nice if you could document how :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted
Projects
None yet
Milestone
3.3
Development

Successfully merging a pull request may close this issue.

Document that TLS options are backend specific tiran/python-ldap
6 participants
@encukou @tiran @shubb30 @quanah @jfarshankar @sara1068