So yes, it’s just the conn.start_tls_s(). I can connect via tls now. Had to also replace ldaps with ldap in the uri, but that’s just because i don’t know the codebase and therefore don’t know where the right place for doing it is.
If there was a config option use tls, that would be easier.
Just for reference my hacky solution, ldap_connector:[309,335] now looks like:
uri = self._format_ldap_uri(server).replace('ldaps', 'ldap')
conn = ldap.ldapobject.ReconnectLDAPObject(
uri, trace_level=trace_level, trace_file=trace_file
)
conn.protocol_version = self._config.get("version", 3)
conn.network_timeout = self._config.get("connect_timeout", 2.0)
conn.retry_delay = 0.5
# When using the domain top level as base-dn, the subtree search stumbles with referral objects.
# whatever. We simply disable them here when using active directory. Hope this fixes all problems.
if self.is_active_directory():
conn.set_option(ldap.OPT_REFERRALS, 0)
if "use_ssl" in self._config:
conn.set_option(ldap.OPT_X_TLS_CACERTFILE, str(cmk.utils.paths.trusted_ca_file))
# Caused trouble on older systems or systems with some special configuration or set of
# libraries. For example we saw a Ubuntu 17.10 system with libldap 2.4.45+dfsg-1ubuntu1 and
# libgnutls30 3.5.8-6ubuntu3 raising "ValueError: option error" while another system with
# the exact same liraries did not. Try to do this on systems that support this call and ignore
# the errors on other systems.
try:
conn.set_option(ldap.OPT_X_TLS_NEWCTX, 0)
except ValueError:
pass
conn.start_tls_s()