Certificate checking on LDAP over SSL connection

Michael Ströder michael at stroeder.com
Tue Dec 9 20:15:10 CET 2008

Alberto Lopes wrote:
> ldap.set_option(ldap.OPT_X_TLS_CACERTFILE,'/path/to/my/CAcert')
> l = ldap.initialize('ldaps://<server>:<port>',trace_level=ldapmodule_trace_level,trace_file=ldapmodule_trace_file)
> l.protocol_version=ldap.VERSION3
> l.bind_s('','',ldap.AUTH_SIMPLE) 
> Here, I got the following message:
> ldap.SERVER_DOWN: {'info': 'TLS: unable to get CN from peer
> certificate', 'desc' : "Can't contact LDAP server"}

This is rather an OpenSSL issue maybe depending on the OpenSSL version
used to build OpenLDAP libs. I'd test that with
openssl s_client first:

openssl s_client -connect <server>:<port> -CAfile /path/to/my/CAcert

> Point is, the LDAP server certificate doesn't have the "Subject" field;
> instead, it uses the "Subject Alternate Name" field in the V3 Extensions.

Well, a cert MUST have a subject DN. It might be the case that it does
not have a CN attribute. IMHO it should.

Ciao, Michael.

More information about the python-ldap mailing list