not able to get it to work. Things we have tried:
but result is the same.

ldap_url_parse_ext(ldaps://ldap.foo.com:636)
ldap_create
ldap_url_parse_ext(ldaps://ldap.foo.com:636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldap.foo.com:636
ldap_new_socket: 5
ldap_prepare_socket: 5
ldap_connect_to_host: Trying 10.67.242.198:636
ldap_pvt_connect: fd: 5 tm: -1 async: 0
tlsst_thr_init()
tlsst_init()
tlsst_ctx_new() = 0x7fb530006f60
tlsst_ctx_init(0x7fb530006f60)
tlsst_ciphers_get((null), TLS_CIPHER_SUITE)
tlsst_session_new(0x7fb530006f60)
tlsst_ciphers_set(76, TLS_CIPHER_SUITE)
tlsst_ctx_ref(0x7fb530006f60)
tlsst_session_new(0x7fb530006f60) = 0x7fb530008ef0
tlsst_sb_setup(0x7fb530008ef0)
tlsst_ctx_ref(0x7fb530006f60)
tlsst_session_connect(0x7fb530008ef0)
tlsst_session_handshake()
tlsst_socket_write(0x7fb530008548, 145)
tlsst_socket_read(0x7fb530804800, 5)
tlsst_socket_read(0x7fb530804805, 93)
tlsst_socket_read(0x7fb530804800, 5)
tlsst_socket_read(0x7fb530804805, 778)
tlsst_socket_read(0x7fb530804800, 5)
tlsst_socket_read(0x7fb530804805, 147)
tlsst_socket_read(0x7fb530804800, 5)
tlsst_socket_read(0x7fb530804805, 270)
tlsst_socket_read(0x7fb530804800, 5)
tlsst_socket_read(0x7fb530804805, 4)
TLS: during handshake: peer cert is valid, or was ignored if verification disabled (-9841)
TLS: during handshake: Peer certificate is not trusted: kSecTrustResultRecoverableTrustFailure

and openssl s_client does work.

From: Quanah Gibson-Mount <quanah@symas.com>
Sent: Monday, October 5, 2020 10:24 AM
To: Siddharth Jain <siddjain@live.com>; openldap-technical@openldap.org <openldap-technical@openldap.org>
Subject: Re: TLS: during handshake: Peer certificate is not trusted: kSecTrustResultRecoverableTrustFailure
 


--On Monday, October 5, 2020 1:58 AM +0000 Siddharth Jain
<siddjain@live.com> wrote:

>
> is it necessary to specify both
>
> TLS_CACERT and
>
> TLS_CACERTDIR ?

You use one or the other.  The TLS_CACERT only takes a specific file.  The
TLS_CACERTDIR allows the usage of a directory of multiple CA files.

> 16.2.2.1. TLS_CACERT <filename>
>
> This is equivalent to the server's TLSCACertificateFile option. As noted
> in the TLS Configuration section, a client typically may need to know
> about more CAs than a server, but otherwise the same considerations
> apply.
>
> 16.2.2.2. TLS_CACERTDIR <path>
>
> This is equivalent to the server's TLSCACertificatePath option. The
> specified directory must be managed with the OpenSSL c_rehash utility as
> well. If using Mozilla NSS, <path> may contain a cert/key database.


The ldap.conf file uses one set of configuration parameter names, the slapd
configuration uses a different set of configuration parameter names.

--Quanah


--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>