DEBUG: Instance details: {'uri':
'ldaps://ldap-model.polytechnique.fr:636', 'basedn': None,
'binddn': 'cn=Directory Manager', 'bindpw': None,
'saslmech': None, 'tls_cacertdir': None, 'tls_cert': None,
'tls_key': None, 'tls_reqcert': 1, 'starttls': False,
'prompt': False, 'pwdfile': None, 'args': {'ldapurl':
'ldaps://ldap-model.polytechnique.fr:636', 'root-dn': 'cn=Directory
Manager'}}
DEBUG: Instance details: {'uri':
'ldaps://ldap-model.polytechnique.fr:636', 'basedn': None,
'binddn': 'cn=Directory Manager', 'bindpw': None,
'saslmech': None, 'tls_cacertdir': None, 'tls_cert': None,
'tls_key': None, 'tls_reqcert': 1, 'starttls': False,
'prompt': False, 'pwdfile': None, 'args': {'ldapurl':
'ldaps://ldap-model.polytechnique.fr:636', 'root-dn': 'cn=Directory
manager'}}
ldap.SERVER_DOWN: {'desc': "Can't contact LDAP server",
'info': 'error:1416F086:SSL
routines:tls_process_server_certificate:certificate verify failed (self signed certificate
in certificate chain)'}
ERROR: Error: Can't contact LDAP server - error:1416F086:SSL
routines:tls_process_server_certificate:certificate verify failed (self signed certificate
in certificate chain)
I can't comment about the other environmental changes between those versions, but
tls_reqcert is 1 in both options, aka ldap.OPT_X_TLS_HARD which means your ca cert must be
in your LDAP ca store. You don't specify a tls_cacertdir or a tls_cacert, so whatever
you have in /etc/openldap/ldap.conf will be used for this.
Most likely there is a fault in this config, or they cacertdir is not hashed.
If you use a cacertdir remember you need to run 'openssl rehash' in the directory
to setup the symlinks to the PEM files.
If you use a cacert PEM file directly, ensure it's readable to your user etc.
As a last resort you could set 'tls_reqcert = never' in .dsrc to disable ca
validity checking.
Hope that helps,
—
Sincerely,
William Brown
Senior Software Engineer, 389 Directory Server
SUSE Labs, Australia