16.2.2.1. TLS_CACERT <filename>

This is equivalent to the server's TLSCACertificateFile option. As noted in the TLS Configuration section, a client typically may need to know about more CAs than a server, but otherwise the same considerations apply.

16.2.2.2. TLS_CACERTDIR <path>

This is equivalent to the server's TLSCACertificatePath option. The specified directory must be managed with the OpenSSL c_rehash utility as well. If using Mozilla NSS, <path> may contain a cert/key database.

From: Howard Chu <hyc@symas.com>
Sent: Friday, October 2, 2020 10:27 PM
To: Siddharth Jain <siddjain@live.com>; openldap-technical@openldap.org <openldap-technical@openldap.org>
Subject: Re: TLS: during handshake: Peer certificate is not trusted: kSecTrustResultRecoverableTrustFailure

Quanah Gibson-Mount wrote:
>
>
> --On Saturday, October 3, 2020 12:36 AM +0000 Siddharth Jain <siddjain@live.com> wrote:
>
>>
>> But ldapsearch throws an error:
>>
>>
>> $ ldapsearch -d 1 -x -H ldaps://ldap.foo.com:636 ... -ZZ
>
> This is not valid.
>
> Either you:
>
> (a) use ldap:// with -ZZ (startTLS)
>
> OR
>
> (b) use ldaps://
>
> Both will result in a TLS secured connection if successful
>
> But you absolutely CANNOT combine startTLS + ldaps://

Also, TLS_CERT/TLS_KEY are user-only directives. Re-read the ldap.conf(5) manpage.

--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/

TLS_CACERT and
TLS_CACERTDIR ?

or can the full path to ca cert be specified in
TLS_CACERT?

TLS_CACERTDIR ?

TLS_CACERT?

16.2.2.1. TLS_CACERT <filename>

16.2.2.2. TLS_CACERTDIR <path>

TLS_CACERT and TLS_CACERTDIR ? or can the full path to ca cert be specified in TLS_CACERT?

TLS_CACERTDIR ?

TLS_CACERT?

16.2.2.1. TLS_CACERT <filename>

16.2.2.2. TLS_CACERTDIR <path>

TLS_CACERT and
TLS_CACERTDIR ?

or can the full path to ca cert be specified in
TLS_CACERT?