Re: How to verify server certificate

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Fredrik Melander wrote:
> Short question: when negotiating TLS with the LDAP server with
> start_tls_s(), can I use python-ldap to follow the certificate chain and
>   verify the server certificate? If so, how?

The OpenLDAP libs are doing that for you (with the help of an underlying lib
like OpenSSL, GnuTLS or NSS). Same for CRL checking available in recent
versions of OpenLDAP libs.

For the most common case with OpenLDAP C libs linked to OpenSSL libs see
script Demo/initialize.py:

ldap.set_option(ldap.OPT_X_TLS_CACERTFILE,'/etc/httpd/ssl.crt/myCA-cacerts.pem')

Ciao, Michael.