On 10/5/20 8:10 PM, Quanah Gibson-Mount wrote: > --On Monday, October 5, 2020 6:48 PM +0000 Siddharth Jain > <[email protected]> wrote: > >> TLS: during handshake: peer cert is valid, or was ignored if verification >> disabled (-9841) TLS: during handshake: Peer certificate is not trusted: >> kSecTrustResultRecoverableTrustFailure > > This message comes from Apple's TLS library. This would indicate that > you're using a hacked version of OpenLDAP. We cannot offer support for > a hacked version of OpenLDAP. You will need to ask Apple for help on > how to correctly configure TLS within their environment.
To add to that: AFAIK the patched libldap in MacOS simply uses the system-wide trust store and nothing else. Furthermore using ldap_set_option() to set trusted CA certs file or directory leads to errors. This results in weird work-arounds like this: https://gitlab.com/ae-dir/python-ldap0/-/blob/master/ldap0/ldapobject.py#L251 Ciao, Michael.
