From: <mi...@st...> - 2006-06-20 23:46:58
|
Mike Orr wrote: > On 6/20/06, Michael Str=F6der <mi...@st...> wrote: >=20 >> If you're using self-signed server certificates I can only comment tha= t >> you SHOULD NOT do this. >=20 > I have no control over the server. And some organizations with tight > budgets balk at paying $100 per year per domain to a company like > Thawte that essentially does nothing. Hint: You can run your own CA. Or there's also cacert.org. >> > ldap_bind: Can't contact LDAP server (-1) >> > additional info: error:14090086:SSL >> > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed >> > >> > Is there an option for "just accept the certificate anyway"? >> >> Nope. That's by design of the OpenLDAP API. >> >> You can define the server certificate as CA certificate though. But >> again, this undermines security measures of SSL/TLS. >> >> > Is there >> > a list of LDAP options anywhere? >> >> Why didn't you follow the advice in the e-mail you cited above: >> >> ldap.set_option( ldap.OPT_X_TLS_CACERTFILE , ..) >=20 > Because I don't have a certificate file to point it to. As I wrote above you can point to the server certificate file. > I'm checking with the LDAP admins to see if they'll give us the > certificate file. If not, I don't know what else to do. Simply grab it with openssl s_client. Ciao, Michael. |