The openssl binaries in the 2.5 RPMs use their own build of openssl, which doesn't appear to be configured to trust the system root certificate store:
$ ldapsearch -H ldaps://ldap.cpp.edu/ ldap_sasl_interactive_bind: Can't contact LDAP server (-1) additional info: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (self signed certificate in certificate chain)
It works fine if you explicitly tell it to:
SSL_CERT_FILE=/etc/pki/tls/cert.pem ldapsearch -x -H ldaps://ldap.cpp.edu/ # extended LDIF [...]
Is this intentional? It seems it would be useful for the openldap utilities, which are added to the default search path, to support the standard system root CA's.
Thanks...