On Wed, 27 Sep 2017 12:43:13 +0000 Roger Aas Roger.Aas@atea.no wrote:
I am not sure what this can be, the AD server have a valid certificate, and the NAV server have the CA (by default) in /etc/ssl/certs.
[snip]
[Wed Sep 27 14:08:40.844342 2017] [wsgi:error] [pid 32247:tid 140541489465088] CONNECT_ERROR: {'info': '(unknown error code)', 'desc': 'Connect error'}
The dreaded 'unknown error code'...
Typically, as Sigmund suggested, the LDAP library will report certificate issues as connect errors. You may need to enable the `debug` option in `webfront.conf` to have the OpenLDAP library output more useful (and useless) details.
Having your list of CA certificates in /etc/ssl/certs might not be enough, since this depends on the configuration of OpenLDAP.
Did you consult NAV's LDAP auth documentation at https://nav.uninett.no/doc/reference/ldap.html? It has a section on configuring OpenLDAP to recognize your CA.