See https://bugzilla.redhat.com/show_bug.cgi?id=1048475

Do we want to actually track this in code, issue a warning for one release, then make it a hard error?

It's a bit tricky. The cert settings can be changed globally ldap_set_option(NULL, opt, val) and locally ldap_set_option(conn, opt, val). I'm not sure how to fix cases like:

conn = ldap.initialize()
# now change the global setting but expect the local connection to pick up the change
ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, True)
conn.start_tls_s()

Documenting it is fine, or at least a good first step. We don't need to hand-hold the users (though it would be nice if we did).

Anyway, I don't think 3.0.0 beta needs to wait for this, as it's not a regression from either python-ldap or pyldap.

Checkmk/checkmk@caa7fe1

sometimes setting OPT_X_TLS_NEWCTX throws a ValueError, but it still connects successfully

This is a problem for reconnecting ldap object because it doesn't catch the value error when settings OPT_X_TLS_NEWCTX

@LarsMichelsen
@tiran

@encukou would it be better if all options were set at once using a namedtuple?

ldap.initialize(uri=x, options=ldap.Options(referrals=0, tls_certfile=..., ))

and global set_option was removed?

and then OPT_X_TLS_NEWCTX would just be sent last if ldap.Option had any TLS options

tribe29/checkmk@caa7fe1

sometimes setting OPT_X_TLS_NEWCTX throws a ValueError, but it still connects successfully

This is a problem for reconnecting ldap object because it doesn't catch the value error when settings OPT_X_TLS_NEWCTX

I'm only familiar with the OpenSSL and NSS backends. I know for a fact that the OpenSSL backend throws a ValueError with OPT_X_TLS_NEWCTX when OPT_X_TLS_CACERTFILE points to an invalid or missing CA cert bundle. You might still be able to connect but not with the configuration you are expecting. It's possible that you end up with an insecure connection.

Would it be possible to throw a FileNotFoundError instead?

No, OpenLDAP libldap does not return additional information. python-ldap just gets a generic error code.

>>> import ldap
>>> conn = ldap.initialize("ldap://localhost")
>>> conn.set_option(ldap.OPT_X_TLS_CACERTFILE, "/invalid")
>>> conn.set_option(ldap.OPT_X_TLS_NEWCTX, 0)
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib64/python3.7/site-packages/ldap/ldapobject.py", line 919, in set_option
    return self._ldap_call(self._l.set_option,option,invalue)
  File "/usr/lib64/python3.7/site-packages/ldap/ldapobject.py", line 313, in _ldap_call
    result = func(*args,**kwargs)
ValueError: option error

@tiran I've raised an issue re the generic error code with openldap https://www.openldap.org/its/index.cgi/Incoming?id=9157

conn.set_option(ldap.OPT_X_TLS_NEWCTX, 1) instructs OpenLDAP to create a context for an LDAP server. LDAP client libraries such as python-ldap must use conn.set_option(ldap.OPT_X_TLS_NEWCTX, 0).

@tiran ah yes I misunderstood that issue thread

Looks like I'm not the only person that got confused by OpenLDAP's documentation. :) I started https://www.openldap.org/its/index.cgi/Incoming?id=8805 because I misunderstood how NEWCTX works.

In OpenLDAP 2.6 (due for release in September) the fix for ITS#9157 will be released. The error message from the TLS library will be saved in
the LDAP* handle and retrievable via ldap_get_option(ld, LDAP_OPT_DIAGNOSTIC_MESSAGE, ...).