is it necessary to specify both 

TLS_CACERT and 

TLS_CACERTDIR ?


or can the full path to ca cert be specified in 

TLS_CACERT?

what does this mean?

16.2.2.1. TLS_CACERT <filename>

This is equivalent to the server's TLSCACertificateFile option. As noted in the TLS Configuration section, a client typically may need to know about more CAs than a server, but otherwise the same considerations apply.

16.2.2.2. TLS_CACERTDIR <path>

This is equivalent to the server's TLSCACertificatePath option. The specified directory must be managed with the OpenSSL c_rehash utility as well. If using Mozilla NSS, <path> may contain a cert/key database.




From: Howard Chu <hyc@symas.com>
Sent: Friday, October 2, 2020 10:27 PM
To: Siddharth Jain <siddjain@live.com>; openldap-technical@openldap.org <openldap-technical@openldap.org>
Subject: Re: TLS: during handshake: Peer certificate is not trusted: kSecTrustResultRecoverableTrustFailure
 
Quanah Gibson-Mount wrote:
>
>
> --On Saturday, October 3, 2020 12:36 AM +0000 Siddharth Jain <siddjain@live.com> wrote:
>
>>
>> But ldapsearch throws an error:
>>
>>
>> $ ldapsearch -d 1 -x -H ldaps://ldap.foo.com:636 ... -ZZ
>
> This is not valid.
>
> Either you:
>
> (a) use ldap:// with -ZZ (startTLS)
>
> OR
>
> (b) use ldaps://
>
> Both will result in a TLS secured connection if successful
>
> But you absolutely CANNOT combine startTLS + ldaps://

Also, TLS_CERT/TLS_KEY are user-only directives. Re-read the ldap.conf(5) manpage.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/