How to verify server certificate

Fredrik Melander melander at
Tue Aug 4 18:20:49 CEST 2009

Michael Ströder schrieb:
> Fredrik Melander wrote:
>> Short question: when negotiating TLS with the LDAP server with
>> start_tls_s(), can I use python-ldap to follow the certificate chain and
>>   verify the server certificate? If so, how?
> The OpenLDAP libs are doing that for you (with the help of an underlying lib
> like OpenSSL, GnuTLS or NSS). Same for CRL checking available in recent
> versions of OpenLDAP libs.
> For the most common case with OpenLDAP C libs linked to OpenSSL libs see
> script Demo/
> ldap.set_option(ldap.OPT_X_TLS_CACERTFILE,'/etc/httpd/ssl.crt/myCA-cacerts.pem')
> Ciao, Michael.

Hi, Michael
Thanks for the very fast reply!

I've been playing around with a certificate that should be broken
without having my script complain the least. I would have expected
python-ldap to throw an exception or similar but for the time being it
seems to be pretending that everything's alright.

Here's my connect-method in the class that's using ldap:

def get_connection(self, connection_string):
	"Connect to ldap and return the handle"
	conn = ldap.initialize(connection_string)
	conn.protocol_version = ldap.VERSION3
	conn.set_option(ldap.OPT_REFERRALS, 0)
	conn.set_option(ldap.OPT_X_TLS_CACERTFILE, "etc/openldap/ssl/cacert.pem")
	conn.set_option(ldap.OPT_X_TLS, ldap.OPT_X_TLS_DEMAND)

	conn.simple_bind_s(self.ldap_user, self.ldap_password)
	return conn

What is it that I'm misunderstanding here?

Best regards,

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5927 bytes
Desc: S/MIME Cryptographic Signature
URL: <>

More information about the python-ldap mailing list