.. Ross Patterson's Blog imported post, created by `$ ./bin/rfc822-to-post` on Mar 15, 2021. .. meta:: :description: Bringing LDAP and SSL/SASL/TLS certificates into the buildout fold :keywords: Plone, Zope .. post:: Jul 19, 2009 :tags: Plone, Zope :author: Ross Patterson :redirect: @@redirect-to-uuid/82259bc278c293f805fe0de50600cc50 ####################################### LDAP, Certificates and Buildout, oh my! ####################################### Bringing LDAP and SSL/SASL/TLS certificates into the buildout fold I hate modified dependencies. I'm none to fond of python-ldap/buildout issues either. So when a client had a patch to modify the various Plone LDAP eggs just to get SSL/SASL/TLS certificates working, I'd had it. I decided it was time to make everythign reproducible and bring LDAP fully into the buildout fold. The modifications were used to get the python-ldap package to properly authenticate/verify certificates when connecting via SSL/SASL/TLS. I found a `Plone setup list post `_ that provides most of the solution. The right way to get certificates working is to have the underlying openldap installation properly configured to use the certificates. If that's configured properly, python-ldap will just work and no modifications are required to the Plone LDAP eggs. The post contains the basic buildout configuration layout required to get things working which includes building openldap using CMMI and using a template to install an ldap.conf that tells the openldap build where to find the certificates. I ran into one issue during the openldap build for which some quick googling pointed me to an `environment variable workaround `_. The post uses a buildout part to install the certificates into the buildout configuration, but since the ldap.conf template has to say where the certificates are anyways, I just point to them in the ldap.conf template at etc/ldap.conf.in:: TLS_CACERTDIR /usr/local/ssl/certs TLS_REQCERT hard Then we build python-ldap telling it to use the openldap build from the buildout. The final key is to make sure that the custom python-ldap egg is used and not one retrieved by buildout *prior* to building the custom egg. The way to achieve this is to make sure that the instance(s) eggs option does a valiable substitution from the python-ldap buildout part, thus forcing the right dependency ordering. The end result is my ldap.cfg file:: [buildout] extends = base.cfg parts += openldap-build ldap.conf python-ldap [instance1] eggs += ${python-ldap:egg} [openldap-build] recipe = zc.recipe.cmmi url = ftp://ftp.openldap.org/pub/OpenLDAP/openldap-stable/openldap-stable-20090411.tgz environment = # Workaround for "error: storage size of ‘peercred’ isn’t known" # http://www.openldap.org/lists/openldap-bugs/200808/msg00130.html CPPFLAGS=-D_GNU_SOURCE extra_options = --with-sasl --with-tls --enable-slapd=no [ldap.conf] recipe = collective.recipe.template depends = ${openldap-build:location} input = etc/ldap.conf.in output = ${openldap-build:location}/etc/openldap/ldap.conf [python-ldap] recipe = zc.recipe.egg:custom egg = python-ldap include-dirs = ${openldap-build:location}/include library-dirs = ${openldap-build:location}/lib rpath = ${openldap-build:location}/lib Enjoy! .. update:: Jul 19, 2009 Imported from Plone on Mar 15, 2021. The date for this update is the last modified date in Plone.