On Wed, 13 Apr 2011, Judith Flo Gaya wrote:
As the server is a rhel6 its openldap is compiled against openssl, the clients are using openldap with moznss, so it looks like I'll be forced to recompile everything to either moznss or openssl but it looks very very complicated.
My experience differs. I know that I have F14 clients (and probably others; clients are largely out of my scope) using NSS, even though I don't have NSS on the servers. I'm not sure if somewhere in this thread you mentioned that you were (or weren't) using generally-respected commercial CAs? We do, and a working F14 client has:
[/etc/openldap/ldap.conf says] TLS_CACERT /etc/pki/tls/cert.pem
and /etc/pki/tls/cert.pem is a symlink to "certs/ca-bundle.crt" which has, unsurprisingly, a bunch of CA certs--I note no base64 encoding. Apparently these are both provided by a Fedora "ca-certificates" package.
All this is to say...I've seen the OpenLDAP NSS client work at least once, via ldapsearch(1), even though it's not the TLS implementation on the server side.