Additionally, you need a directive to state whether you intent to use SSL or START_TLS. Have an 'ldaps' URI is not enough, because that wouldn't leave you with a way to specify that you wish to connect to unencrypted port 389 and issue a START_TLS command. nss_ldap does one of:
ssl on
ssl start_tls
You need a way to specify whether the cert is required and should be validated:
The current LDAP support does not support encryption. One of the standard approaches is LDAPS
We need some way to specify the certificate. In nss_ldap syntax, this is one of:
tls_cacertfile /etc/ssl/ca.cert cacerts
tls_cacertdir /etc/openldap/
Additionally, you need a directive to state whether you intent to use SSL or START_TLS. Have an 'ldaps' URI is not enough, because that wouldn't leave you with a way to specify that you wish to connect to unencrypted port 389 and issue a START_TLS command. nss_ldap does one of:
ssl on
ssl start_tls
You need a way to specify whether the cert is required and should be validated:
tls_reqcert never | demand | allow
Have a look at the TLS functions of python-ldap:
http:// www.python- ldap.org/ doc/html/ ldap.html# tls-options