OK, a couple long shots (I don't really believe these, but they should be quick to try and since you're not working anyway they shouldn't hurt)...
Do TLSCACertificateFile and/or TLSCACertificatePath match TLS_CACERT and/or TLS_CACERTDIR? Can you make them that way?
Can you verify somehow that the ldap.conf you expect to be read is indeed being read? That there's no ~/.ldaprc in the way?
"TLS_REQCERT never" should set the library to its most liberal; it's somewhat surprising that it's still complaining about CA in that case.
On Wed, 24 Jan 2007, Stephen Agar wrote:
I appreciate everyone's advice, I have verified that as the same uid "user ldap", i CAN connect to the external LDAP server via "ldapwhoami over ldaps://" but when connecting to localhost and attempting to use the "meta" definition, it doesn't work.
I don't have a copy of the cacert on the external server, i just have a self signed setup on my own openldap box. Do I need to get a copy of their cacert.pem and configure that in my ldap.conf?
I haven't had a chance to look at the strace/truss output yet, but will post when I do.
--stephen