0

Hy

I'm starting learning flask but when I follow this documentation

I receive this error... Strange that using ldapsearch everything is fine....

Using:

  • Ubuntu Focal
  • python3.8
  • python3-flask 1.1.1-2
  • python3-flask-ldapconn 0.7.2-1
  • python3-ldap3 2.4.1-2
  • python3-openssl 19.0.0-1build1
  • openssl 1.1.1f-1ubuntu1
  • slapd 2.4.49+dfsg-2ubuntu1

ldap.conf:

BASE    dc=contatogs,dc=com,dc=br
URI     ldap://zeus7.contatogs.com.br
SIZELIMIT       0
TIMELIMIT       0
TLS_REQCERT demand
TLS_CACERT      /etc/ssl/contatogs.com.br/cacert.pem

part of flask:

from flask import Flask, render_template
from flask_ldapconn import LDAPConn

app = Flask(__name__)
ldap = LDAPConn(app)
app.config['SECRET_KEY'] = 'lihflhdlkfhlkfh'

import ssl
LDAP_SERVER = 'zeus7.contatogs.com.br'
LDAP_PORT = 389
LDAP_BINDDN = 'cn=admin,dc=contatogs,dc=com,dc=br'
LDAP_SECRET = 'adminldap'
LDAP_TIMEOUT = 0
LDAP_USE_TLS = True  # default
LDAP_REQUIRE_CERT = ssl.CERT_NONE  # default: CERT_REQUIRED
LDAP_CA_CERTS_FILE = '/etc/ssl/contatogs.com.br/cacert.pem'
LDAP_CLIENT_PRIVATE_KEY = '/etc/ssl/contatogs.com.br/private/zeus7.contatogs.com.br.key.pem'
LDAP_CLIENT_CERT = '/etc/ssl/contatogs.com.br/newcerts/zeus7.contatogs.com.br.crt.pem'

When using ldapseach its ok:

ldapsearch -xLLLZZ -D cn=admin,dc=contatogs,dc=com,dc=br -w adminldap -H ldap://zeus7.contatogs.com.br | wc -l

Result: 5862

Where is my mistake?

Thanks in advanced

second round Learning a little more about ldap3 I could see same error ( https://ldap3.readthedocs.io/en/latest/tutorial_intro.html)

python3

Python 3.8.2 (default, Mar 13 2020, 10:14:16)

[GCC 9.3.0] on linux Type "help", "copyright", "credits" or "license" for more information.

from ldap3 import Server, Connection, ALL, Tls

import ssl

tls_configuration = Tls(validate=ssl.CERT_REQUIRED, version=ssl.PROTOCOL_TLSv1)

server = Server('ipa.demo1.freeipa.org', use_ssl=True, tls=tls_configuration)

conn = Connection(server)

conn.open()

Traceback (most recent call last): File "", line 1, in File "/usr/lib/python3/dist-packages/ldap3/strategy/sync.py", line 56, in open BaseStrategy.open(self, reset_usage, read_server_info) File "/usr/lib/python3/dist-packages/ldap3/strategy/base.py", line 141, in open raise exception_history0(exception_history[0][2]) ldap3.core.exceptions.LDAPSocketOpenError: (LDAPSocketOpenError('socket ssl wrapping error: [SSL] internal error (_ssl.c:1108)'),)

Maybe something about ssl/tls

Paulo Ricardo Bruck
  • 41
  • 1
  • 5
  • Hi there, did you manage to get it working in the end? I have a pretty different configuration, but a working one. Not posting it as an answer at the moment because it's just a different configuration with Flask, and it's not STARTTLS but "regular" TLS1.3. – Oleg Feb 09 '21 at 15:32
  • Thanks for interrest. I decide to use python3-ldap3 purely, as I couldn't find a work around using flask_ldapconn. Maybe later I 'll return and test it again. In my case I always use StartTLS with openldap. Maybe I change it in future too...80) – Paulo Ricardo Bruck Feb 10 '21 at 17:08

1 Answers1

0

Try changing the SSL config to accept older versions of TLS.

On Ubuntu edit /etc/ssl/openssl.cnf || In RHEL 8.1: /etc/crypto-policies/back-ends/opensslcnf.config and edit the below:

MinProtocol = TLSv1
CipherString = DEFAULT:@SECLEVEL=1

Note that this is a severe threat to security, but you can use it for testing and see if this helps.

ref:

https://takraw-s.medium.com/fix-errors-socket-ssl-wrapping-error-errno-104-connection-reset-by-peer-9c63c551cd7

https://github.com/cannatag/ldap3/issues/385

I hope it helps!

Kuba T
  • 1