I've just setup a new rhodecode instance that uses LDAP over SSL but have come across an issue.
I have followed the instructions at http://pythonhosted.org/RhodeCode/setup.html#certificate-checks, which tells me to install (copy) the CA certifcate into /opt/openldap/cacerts, which I have. But whenever I try to login using an LDAP account it fails with the log message "LDAP can't access authentication server"
Not one for being defeated, I started to play around with auth_ldap.py code to get a more useful error message. By printing out the dictionary returned by the exception ldap.SERVER_DOWN, the debug log now showed that the 'peer's certificate issuer is not recognized' when I try to login.
After playing around with the python-ldap options, it appears that if I change the ldap object to use a CA Certificate file directly using ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, '/etc/openldap/cacerts/myca.pem') and then restart the rhodecode service, ldap works. So... it appears that ldap.set_option(ldap.OPT_X_TLS_CACERTDIR, '/etc/openldap/cacerts') does not actually work at all.
This needs investigation to either extract the ca certificate file path as a configuration option or fix OPT_X_TLS_CACERTDIR so that it actaully works.