We are having some issues with our LDAP server dying. This is part of an IPA setup, and it seems slapd stops accepting connections after too many queries. To debug this, I constructed a Python script to repeatedly bind and unbind to the LDAP server. I used python-ldap to do this.

The example worked fine, but since I wanted to torture the SSL portion of our LDAP server (since that seemed to be the one dying), I wanted to use an ldaps schema. My first attempt quickly lead to:

ldap.SERVER_DOWN: {'info': 'error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed certificate in certificate chain)', 'desc': "Can't contact LDAP server"}

Doing a little googling pointed me to the OPT_X_TLS_CACERTFILE option. I found the ca.cert file used to sign our self-signed cert (mine was in /etc/ipa) and copied that to my local system. I then pointed python-ldap to it via:

ldap.set_option(ldap.OPT_X_TLS_CACERTFILE , '/path/to/saved.cert')

And I was up and running, connecting to my LDAP server via the ldaps schema.


comments powered by Disqus