Problem: Your own Python Code refuses to use SSL based communication

Problem

You own Python code on a non-UCS system authenticating webapps (or similar) refuses to use the SSL encrypte port 7636 instead of unencrypted port 7389.

Environment

You are authentication from a non-UCS system and you will get tracebacks similar to the following:

data@data:~/Dokumente/python_scripts/ldapinfo> python3 ldapsinfo_user.py edvtest password
ldapinfo_root_ucs:-> Verbindungsaufbau
Traceback (most recent call last):
File "ldapsinfo_user.py", line 28, in ldapinfo_root_ucs
conucs.simple_bind_s(binddnucs, password)
File "/usr/lib64/python3.8/site-packages/ldap/ldapobject.py", line 443, in simple_bind_s
msgid = self.simple_bind(who,cred,serverctrls,clientctrls)
File "/usr/lib64/python3.8/site-packages/ldap/ldapobject.py", line 437, in simple_bind
return self._ldap_call(self._l.simple_bind,who,cred,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls))
File "/usr/lib64/python3.8/site-packages/ldap/ldapobject.py", line 329, in _ldap_call
reraise(exc_type, exc_value, exc_traceback)
File "/usr/lib64/python3.8/site-packages/ldap/compat.py", line 44, in reraise
raise exc_value
File "/usr/lib64/python3.8/site-packages/ldap/ldapobject.py", line 313, in _ldap_call
result = func(*args,**kwargs)
ldap.SERVER_DOWN: {'desc': "Can't contact LDAP server", 'info': 'error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (self signed certificate in
certificate chain)'}

Solution

If you want to perform SSL-secured actions, the certificates must be certified by a “trusted” authority. By default, with UCS these are only the UCS servers of the domain. To make the UCS certificate known to your Python system, you have to install the CA certificate locally.
For a Debian system this is done as follows:

  • /etc/univention/ssl/ucsCA/CAcert.pem is the “Root-CA-certificate”. Copy this to your Debian system

  • Place it on Debian under /usr/local/share/ca-certificates ablegen; Filename has to end with .crt. Rename the file to match this requirement.

  • Start update-ca-certificates as root.