Daniele Albrizio <albrizio@univ.trieste.it> wrote:
I suspect the "cacertfile" attribute is not correctly re-instantiated and only the value of the first request is used to check against when instantiating a new ldaps connection.
Without a doubt the chaining is not working on your LDAP servers. What is the full output of: openssl s_client -connect myAD.ds.units.it:636 -showcerts openssl s_client -connect myopenldap.units.it:636 -showcerts You can pipe the server cert (cut'n'paste on stdin) through the following to see the useful parts of the certs: openssl x509 -noout -text You probably will find if you change those tls 'demands' to 'never' things work, but then it kinda is self defeating :) Cheers -- Alexander Clouter .sigmonster says: You can't break eggs without making an omelet.