Home/ Questions/Q 6112975
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-23T14:48:21+00:00

On my Mac, I’ve installed OpenLDAP, modified /etc/openldap/ldap.conf and specified the path to the

  • 0

On my Mac, I’ve installed OpenLDAP, modified /etc/openldap/ldap.conf and specified the path to the cert. However, I keep getting this error:

SERVER_DOWN: {
    'info': 
    'error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:
     routines:SSL3_GET_SERVER_CERTIFICATE:
        certificate verify failed (unable to get local issuer certificate)', 
    'desc': "Can't contact LDAP server"
}

The ldap.conf has in it:

TLS_REQCERT demand
TLS_CACERT /etc/openldap/CA_tncdc01.cer

And the cer is there:

$ ll /etc/openldap/CA_tncdc01.cer
-rw-r--r--@ 1 eric  staff  1298 Jun 23 09:12 /etc/openldap/CA_tncdc01.cer

OpenSSL verify says:

$ openssl verify /etc/openldap/CA_tncdc01.cer 
error 18 at 0 depth lookup:self signed certificate
OK

And to bind, I use (Python):

url = "ldaps://[snip]:636"
l = ldap.initialize(url)
l.simple_bind_s(bind_name, bind_password)

All seems to be in order.

Thanks
Eric

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Not sure, but the public key of the certificate authority that publish the certificate of your server not seem to be understood. On my client I’ve got :

    BASE dc=dom, dc=fr
    URI ldaps://srvldap.dom.fr/
    TLS_CACERT /etc/ssl/MyCAcert.pem
    TLS_REQCERT demand

    .pem and .cer are the same DER certificate, one is binary, the other is ASCII, can you try the pem format ?

    • 0