Please check your ldap server.
How it was started? Check the port number. port must be 636.
Your apache might have the root-CA certificate which is validating your globalsign-domainssl.pem.
 
May be your client is failing to get the entire chain of certificates.
Make sure that /etc/openldap/ldap.conf has the TLS_CACERTDIR clause where all the certificates are present.
Use certificate-rehash utility to hash the certificates in the cert-directory.
 
I used to start my server using command
/usr/sbin/slapd -f /etc/openldap/slapd.conf -d 127 -h ldaps:/// &
 
And to search the user I use
ldapsearch -x -H ldaps://ldapserverFQDN:636 -b "dc=my-domain,dc=com"
"(&(uid=testadmin1)(objectClass=inetOrgPerson))"
 
 
Thanks,
Digambar Yashwant Sawant

On Fri, Sep 12, 2008 at 4:51 PM, Michael Fischer <michi.fischer@gmx.net> wrote:
hi,

i hope this is the right list for my problem, if not sorry in advance.

i want to configure slapd to use tls. i have a certifikate signed by
globalsign and the following lines in my slapd.conf:

<snip>
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCertificateFile /etc/postfix/certs/ldap.pem
TLSCertificateKeyFile /etc/postfix/certs/ldap.key
TLSCACertificateFile /etc/postfix/certs/globalsign-domainssl.pem
</snip>

but when issuing a ldapsearch on another machine i still get an error:
<snip>
# ldapsearch -bdc=xxx,dc=at -Dcn=admin,dc=xxx,dc=at -hldap.xxx.at -p389
-x -W -ZZ -d5 objectClass=*
...
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 2, err: 19, subject: /C=US/O=GTE
Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global
Root, issuer: /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions,
Inc./CN=GTE CyberTrust Global Root
TLS certificate verification: Error, self signed certificate in
certificate chain
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect.
ldap_perror
ldap_start_tls: Connect error (-11)
       additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
</snip>

the same globalsign-certificates work well with my apache.

any hints?

lg, Michael Fischer
--
email: michi.fischer@gmx.net
web: http://www.webfischer.at