Problem using ldaps with two different CA cert files

Rich Megginson rich.megginson at
Wed Sep 10 22:59:08 CEST 2008

The following code does not work in a couple of different places:

import sys
import ldap, ldap.ldapobject
ldap.set_option(ldap.OPT_DEBUG_LEVEL, 255)
ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, '/path/to/ca1.pem')
conn1 = ldap.ldapobject.LDAPObject('ldaps://server1.domain:636')
#conn1.set_option(ldap.OPT_DEBUG_LEVEL, 255)
# NOTE: 1 - setting conn specific cacertfile doesn't work - only the
# module level setting seems to work
#conn1.set_option(ldap.OPT_X_TLS_CACERTFILE, '/path/to/ca1.pem')
print "conn1 set up correctly"
# NOTE: 2 - although this appears to work i.e. get_option returns the new
# one, the code never attempts to open /path/to/ca2.pem - I've validated 
this via strace
ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, '/path/to/ca2.pem')
print "cacert file =", ldap.get_option(ldap.OPT_X_TLS_CACERTFILE)
ldap.set_option(ldap.OPT_DEBUG_LEVEL, 0) # this works
conn2 = ldap.initialize('ldaps://server2.domain:636')
#conn2.set_option(ldap.OPT_DEBUG_LEVEL, 255)
# again, conn specific setting does not work
conn2.set_option(ldap.OPT_X_TLS_CACERTFILE, '/path/to/ca2.pem')
print "conn2 cacertfile=", conn2.get_option(ldap.OPT_X_TLS_CACERTFILE)
conn2.simple_bind("binddn2","password2") # errors here - cannot verify 
peer server ssl cert
print "conn2 set up correctly"

Is it possible to use two different CA certs in a single python-ldap 
app?  I've tried using both version 2.2.0 on rhel5 and version 2.3.1 on 
fedora 9

More information about the python-ldap mailing list