we have made some progress. On Linux machine we don't get that error but get another error instead.
TLS certificate verification: Error, self signed certificate in certificate chain

 It looks like it complains about a self-signed certificate but that certificate is that of the root CA and by definition that will be self-signed.

ldap_url_parse_ext(ldaps://ldap.foo.com:636)
ldap_create
ldap_url_parse_ext(ldaps://ldap.foo.com:636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldap.foo.com:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.67.242.198:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
TLSMC: MozNSS compatibility interception begins.
tlsmc_intercept_initialization: INFO: entry options follow:
tlsmc_intercept_initialization: INFO: cacertdir = `/etc/openldap/certs'
tlsmc_intercept_initialization: INFO: certfile = `/home/client/client_tls_cert.pem'
tlsmc_intercept_initialization: INFO: keyfile = `/home/client/client_tls_key.pem'
tlsmc_convert: INFO: trying to open NSS DB with CACertDir = `/etc/openldap/certs'.
tlsmc_open_nssdb: INFO: trying to initialize moznss using security dir `/etc/openldap/certs` prefix ``.
tlsmc_open_nssdb: INFO: initialized MozNSS context.
tlsmc_convert: INFO: trying with PEM dir = `/tmp/openldap-tlsmc-certs--25EC8C7E40D4FF3F7189B2C57C0F6A5C06BB35FD39F9391B99227E99F66E15B6'.
tlsmc_convert: INFO: using the existing PEM dir.
tlsmc_intercept_initialization: INFO: altered options follow:
tlsmc_intercept_initialization: INFO: cacertdir = `/tmp/openldap-tlsmc-certs--25EC8C7E40D4FF3F7189B2C57C0F6A5C06BB35FD39F9391B99227E99F66E15B6/cacerts'
tlsmc_intercept_initialization: INFO: certfile = `/tmp/openldap-tlsmc-certs--25EC8C7E40D4FF3F7189B2C57C0F6A5C06BB35FD39F9391B99227E99F66E15B6/cert.pem'
tlsmc_intercept_initialization: INFO: keyfile = `/tmp/openldap-tlsmc-certs--25EC8C7E40D4FF3F7189B2C57C0F6A5C06BB35FD39F9391B99227E99F66E15B6/key.pem'
tlsmc_intercept_initialization: INFO: successfully intercepted TLS initialization. Continuing with OpenSSL only.
TLSMC: MozNSS compatibility interception ends.
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 2, err: 19, subject: /C=US/ST=CA/L=San Francisco/O=foo/OU=HR/CN=Mickey Mouse, issuer: /C=US/ST=CA/L=San Francisco/O=foo/OU=HR/CN=Mickey Mouse
TLS certificate verification: Error, self signed certificate in certificate chain
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in error
TLS trace: SSL_connect:error in error
TLS: can't connect: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (self signed certificate in certificate chain).
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

From: Quanah Gibson-Mount <quanah@symas.com>
Sent: Monday, October 5, 2020 11:10 AM
To: Siddharth Jain <siddjain@live.com>; openldap-technical@openldap.org <openldap-technical@openldap.org>
Subject: Re: TLS: during handshake: Peer certificate is not trusted: kSecTrustResultRecoverableTrustFailure
 


--On Monday, October 5, 2020 6:48 PM +0000 Siddharth Jain
<siddjain@live.com> wrote:

> TLS: during handshake: peer cert is valid, or was ignored if verification
> disabled (-9841) TLS: during handshake: Peer certificate is not trusted:
> kSecTrustResultRecoverableTrustFailure

This message comes from Apple's TLS library.  This would indicate that
you're using a hacked version of OpenLDAP.  We cannot offer support for a
hacked version of OpenLDAP.  You will need to ask Apple for help on how to
correctly configure TLS within their environment.

Regards,
Quanah


--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>