Can you ensure the account running openldap is able to read certificate and key ?

like sudo -u <openldap_user> cat <path_to_files>

Sounds like the proxy is not able to send its certificate
De : Fred N <fred750164@gmail.com>
Envoyé : jeudi 30 janvier 2025 11:05
À : openldap-technical@openldap.org <openldap-technical@openldap.org>
Objet : RE: ldap proxy
 
ATTENTION : Cet e-mail provient de l'extérieur de l'organisation. Ne cliquez pas sur les liens et n'ouvrez pas les pièces jointes à moins que vous ne reconnaissiez l'expéditeur et que vous sachiez que le contenu est sûr.

I remove the parameter (tls_cacertdir=/etc/ssl/certs) from idassert-bind config and result is :

Client log (other ldap server) :
ldapsearch -H ldap://ldap-proxy.fr -b "dc=appli,dc=test,dc=com" -D  "dn" -w "pwd"
ldap_bind: Server is unavailable (52)
     additionnal info: Proxy operation retry failed

Proxy log:
679a61e2.1c43bb27 0x7f8d6cf56640 TLS trace: SSL3 alert read:fatal:unknown


Backend log:
679b49c4.0aa74b3e 0x7f39e25fd6c0 TLS trace: SSL3 alert write:fatal:unknown
679b49c4.0aa76a7f 0x7f39e25fd6c0 TLS trace: SSL_accept:error in error
679b49c4.0aa79f9f 0x7f39e25fd6c0 TLS: can't accept: error:0A0000C7:SSL routines::peer did not return a certificate.
679b49c4.0aa7fcfb 0x7f39e25fd6c0 connection_read(11): TLS accept failure error=-1 id=1001, closing
679b49c4.0aa83473 0x7f39e25fd6c0 connection_closing: readying conn=1001 sd=11 for close
679b49c4.0aa86f6f 0x7f39e25fd6c0 connection_close: conn=1001 sd=11

>From  client ldap, i want to query an LDAP backend via an LDAP proxy. I want the query from the client to be unsecured with a simple authentication (bindn), but the proxied communication between the LDAP proxy and the LDAP backend to be secured through mutual TLS authentication via SASL EXTERNAL.

my setup is not working at the moment.