[python-ldap] python ldap windows OPT_X_TLS_CACERTFILE not working

Michael Ströder michael at stroeder.com
Thu Mar 17 15:48:45 EDT 2016

Daniel Watrous wrote:
> I am able to make a connection to my LDAPS server with my own certificate
> setting the following option on Linux
> ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, CACERTFILE)


> However, on Windows the same approach fails with
> SERVER_DOWN: {'info': 'error:14090086:SSL
> routines:ssl3_get_server_certificate:certificate verify failed (unable to
> get issuer certificate)', 'desc': "Can't contact LDAP server"}
> It seems that either python-ldap can't follow the Windows based path to the
> certificate OR python-ldap has a hard dependency on a Linux library that
> isn't available on Windows.

The good news is that the 'info' message is actually generated by the OpenSSL
libs. AFAIK Waldemar compiles OpenSSL into his python-ldap builds for Windows.

OpenSSL simply cannot find the CA cert needed to validate the LDAP server cert.

> Any help getting this working on Windows is appreciated. Here's a larger
> snippet from my script
> try:
>     ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, pathtocacertfile)

What's the content of var pathtocacertfile?
Does it contain a Windows path name?
Does the referenced file really contain the CA cert?

Ciao, Michael.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.python.org/pipermail/python-ldap/attachments/20160317/7c1b2208/attachment.bin>

More information about the python-ldap mailing list