I am trying to write a simple client test program using OpenLDAP client API to connect to Microsoft Active Directory Server over SSL.


Below is code snippet.  The program failed to connect.


It failed because of this error: ldap_sasl_bind_s: Can't contact LDAP server (-1) error:14090086:SSL routines: SSL3_GET_SERVER_CERTIFICATE:certificate verify failed


I know there’s no problem with LDAP certificate store /path/to/ldap_certdb because a simple LDAP client test program written in Mozilla LDAP C-SDK worked fine connecting to this same AD server, over SSL.


I need to know if I am using the correct OpenLDAP client API calls.


Any input would be much appreciated. 




Source Code:


        ldap_initialize( &ld, uri );

        if ( ld == NULL ) {

                tester_perror( "ldap_initialize", NULL );

                exit( EXIT_FAILURE );



        rc = ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, &version );

        printf("rc=ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, %d)=%d, error=%s\n",

                version, rc, ldap_err2string(rc));


        rc = ldap_set_option( ld, LDAP_OPT_REFERRALS,

                chaserefs ? LDAP_OPT_ON : LDAP_OPT_OFF );

        printf("rc=ldap_set_option(ld, LDAP_OPT_REFERRALS, %d)=%d, error=%s\n",

                chaserefs, rc, ldap_err2string(rc));


        int debug_flag1 = -1; // LDAP_DEBUG_ANY ;

        rc = ldap_set_option( ld, LDAP_OPT_DEBUG_LEVEL, &debug_flag1);

        printf("rc=ldap_set_option(ld, LDAP_OPT_DEBUG_LEVEL, %d)=%d, error=%s\n",

                debug_flag1, rc, ldap_err2string(rc));


        char *cert_path="/path/to/ldap_certdb";

        rc = ldap_set_option( ld, LDAP_OPT_X_TLS_CACERTDIR, &cert_path);

        printf("rc=ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTDIR, %s)=%d, error=%s\n",

                cert_path, rc, ldap_err2string(rc));


        int reqcert = LDAP_OPT_X_TLS_ALLOW;

        rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &reqcert);

        printf("rc=ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT, %d)=%d, error=%s\n",

                 reqcert, rc, ldap_err2string(rc));


         rc = ldap_sasl_bind_s( ld, manager, LDAP_SASL_SIMPLE, passwd, NULL, NULL, NULL );

         if ( rc != LDAP_SUCCESS ) {

           tester_ldap_error( ld, "ldap_sasl_bind_s", NULL );

           switch ( rc ) {

             case LDAP_BUSY:

             case LDAP_UNAVAILABLE:

               /* fallthru */




           exit( EXIT_FAILURE );




Here’s program output:


rc=ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, 3)=0, error=Success

rc=ldap_set_option(ld, LDAP_OPT_REFERRALS, 0)=0, error=Success

rc=ldap_set_option(ld, LDAP_OPT_DEBUG_LEVEL, -1)=0, error=Success

rc=ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTDIR, /path/to/ldap_certdb)=0, error=Success

rc=ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT, 3)=0, error=Success

PID=4781 - Search(2): base="OU=people,OU=documentum,DC=adldap112,DC=dctmlabs,DC=com", filter="cn=aduser2*" attr="cn".

slapd-search PID=4781: ldap_sasl_bind_s: Can't contact LDAP server (-1) error:14090086:SSL routines: SSL3_GET_SERVER_CERTIFICATE:certificate verify failed



From: Wu, Daisy
Sent: Friday, August 26, 2011 4:53 PM
To: openldap-technical@openldap.org; 'openldap-devel-request@openldap.org'
Subject: Need sample OpenLDAP client test program connecting to LDAP server over SSL


Hi, OpenLDAP developers,


Do you have any sample test programs (or code snippets) that uses OpenLDAP client API to connect to LDAP server over SSL?


Thanks in advance.