Full_Name: Kory Prince Version: 2.4.39 OS: Linux (Arch/Ubuntu) URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (71.49.164.94)

Consider the following code:

#include <stdio.h> #include <ldap.h>

void main() { LDAP *ld; int status = ldap_initialize(&ld, "ldaps://server:636"); if (status == LDAP_SUCCESS) { printf("initialize success\n"); } status = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, "/etc/ssl/certs/ca-certificates.crt"); status = ldap_simple_bind_s(ld, "bindDN", "pass"); if (status == LDAP_SUCCESS) { printf("bind success\n"); } else { printf("%s\n", ldap_err2string(status)); } }

This works as expected. However changing the set_option line to

status = ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTFILE, "/etc/ssl/certs/ca-certificates.crt");

(setting the option on the LDAP) causes the bind to fail.

Using python-ldap gives me a bit more info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (unable to get local issuer certificate)

I have compiled libldap 2.4.39 on Arch and Ubuntu and am getting the same result.

Interestingly enough, the version that comes packaged on Ubuntu 12.04 (2.4.28) works fine, but compiling that version myself gives the same error.