not able to get it to work. Things we have tried:

removed the -ZZ option.
set TLS_CACERT to complete path and remove TLS_CACERTDIR from ldap.conf
also set above as environment variable
also tried some permutations like CACAERT equals just the filename whereas CACERTDIR equals directory containing the file

but result is the same.

ldap_url_parse_ext(ldaps://ldap.foo.com:636)

ldap_create

ldap_url_parse_ext(ldaps://ldap.foo.com:636/??base)

ldap_sasl_bind

ldap_send_initial_request

ldap_new_connection 1 1 0

ldap_int_open_connection

ldap_connect_to_host: TCP ldap.foo.com:636

ldap_new_socket: 5

ldap_prepare_socket: 5

ldap_connect_to_host: Trying 10.67.242.198:636

ldap_pvt_connect: fd: 5 tm: -1 async: 0

tlsst_thr_init()

tlsst_init()

tlsst_ctx_new() = 0x7fb530006f60

tlsst_ctx_init(0x7fb530006f60)

tlsst_ciphers_get((null), TLS_CIPHER_SUITE)

tlsst_session_new(0x7fb530006f60)

tlsst_ciphers_set(76, TLS_CIPHER_SUITE)

tlsst_ctx_ref(0x7fb530006f60)

tlsst_session_new(0x7fb530006f60) = 0x7fb530008ef0

tlsst_sb_setup(0x7fb530008ef0)

tlsst_ctx_ref(0x7fb530006f60)

tlsst_session_connect(0x7fb530008ef0)

tlsst_session_handshake()

tlsst_socket_write(0x7fb530008548, 145)

tlsst_socket_read(0x7fb530804800, 5)

tlsst_socket_read(0x7fb530804805, 93)

tlsst_socket_read(0x7fb530804800, 5)

tlsst_socket_read(0x7fb530804805, 778)

tlsst_socket_read(0x7fb530804800, 5)

tlsst_socket_read(0x7fb530804805, 147)

tlsst_socket_read(0x7fb530804800, 5)

tlsst_socket_read(0x7fb530804805, 270)

tlsst_socket_read(0x7fb530804800, 5)

tlsst_socket_read(0x7fb530804805, 4)

TLS: during handshake: peer cert is valid, or was ignored if verification disabled (-9841)

TLS: during handshake: Peer certificate is not trusted: kSecTrustResultRecoverableTrustFailure

and openssl s_client does work.

From: Quanah Gibson-Mount <quanah@symas.com>
Sent: Monday, October 5, 2020 10:24 AM
To: Siddharth Jain <siddjain@live.com>; openldap-technical@openldap.org <openldap-technical@openldap.org>
Subject: Re: TLS: during handshake: Peer certificate is not trusted: kSecTrustResultRecoverableTrustFailure

--On Monday, October 5, 2020 1:58 AM +0000 Siddharth Jain
<siddjain@live.com> wrote:

>
> is it necessary to specify both
>
> TLS_CACERT and
>
> TLS_CACERTDIR ?

You use one or the other. The TLS_CACERT only takes a specific file. The
TLS_CACERTDIR allows the usage of a directory of multiple CA files.

> 16.2.2.1. TLS_CACERT <filename>
>
> This is equivalent to the server's TLSCACertificateFile option. As noted
> in the TLS Configuration section, a client typically may need to know
> about more CAs than a server, but otherwise the same considerations
> apply.
>
> 16.2.2.2. TLS_CACERTDIR <path>
>
> This is equivalent to the server's TLSCACertificatePath option. The
> specified directory must be managed with the OpenSSL c_rehash utility as
> well. If using Mozilla NSS, <path> may contain a cert/key database.

The ldap.conf file uses one set of configuration parameter names, the slapd
configuration uses a different set of configuration parameter names.

--Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>