https://bugs.openldap.org/show_bug.cgi?id=6248

--- Comment #8 from Howard Chu hyc@openldap.org --- Supporting this will require extra care on the part of the sysadmins. In particular, we currently send a list of the names of every CA cert that was configured, to every client, if client cert authentication is configured. It would probably be a bad idea to send the hundreds of CAs in the default cert bundle in that case. It only ever makes sense for an LDAP server to trust and advertise a very small number of CAs. In particular when client certs are used for authentication, it doesn't make sense to trust certs from anywhere other than the CA that's signing the client certs.

Given the small scope of trust, it also doesn't make sense to be picking up trusted CA certs from large numbers of locations.