i'm using openldap as a ldap proxy to an an other ldap server.

I'd like to get a ldaps connexion between this 2 servers.

so, i configured ldap.conf like this:

TLS_CACERT /usr/local/etc/raddb/RTFE/conca.pem


My issue is that the ssl connexion still works if i comment  the line with TLS_CACERT /usr/local/etc/raddb/RTFE/conca.pem.

and it should not because without this certificate authority my openldap proxy should not be able to check the certificate sent by the backend ldap.

the only difference that i see without this line is in debug mode (slapd -d 1):

TLS certificate verification: Error, self signed certificate in certificate chain

but it works with this error.


so, do you have an idea to force the ssl connexion to fail if the certificate sent by the other ldap server is not signed by my certificate authority ?