Debugging SSL connections

Mike Orr sluggoster at
Wed Jun 21 00:41:01 CEST 2006

Hi.  I have a Python application that uses LDAP to authenticate users.
 Today our organization moved the server to one that uses LDAP-SSL,
and I can't connect to it.  I couldn't find anything about SSL in the
python-ldap or openldap documentation, but a Google search found this
letter from 2003:

David Casti wrote:
> >
> > import ldap
> > l = ldap.initialize( 'ldaps://target:636' )
> > [..]
> > ldap.SERVER_DOWN: {'info': 'error:14090086:SSL
> > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed', 'desc':
> > "Can't contact LDAP server"}
> The message is pretty clear. The server's certificate cannot be verified.
> > ldap.set_option( ldap.OPT_X_TLS_CACERTFILE, '/path/ca.crt' )
> This is the right thing to do.
> Can you please try something like
> openssl s_client -connect target:636 -CAfile /path/ca.crt
> and carefully examime its output?

But I don't have a certificate to authenticate against.  Mozilla
Thunderbird works fine without it   "openssl s_client -connect
target:636" ends with:
"Verify return code: 19 (self signed certificate in certificate chain)"

This is not surprising; our organization always uses self-signed
certificates.  The ldapsearch program refuses to run, saying:

TLS certificate verification: Error, self signed certificate in
certificate chain
tls_write: want=7, written=7
  0000:  15 03 01 00 02 02 30                               ......0
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect.
ldap_bind: Can't contact LDAP server (-1)
        additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Is there an option for "just accept the certificate anyway"?  Is there
a list of LDAP options anywhere?  I couldn't find one.

Is there a HOWTO anywhere for using python-ldap with SSL?  I only
discovered ldaps: by guessing maybe it works like https:.

Mike Orr <sluggoster at>

More information about the python-ldap mailing list