(I mistakenly posted this at openldap-its earlier. apologies if anyone saw it there)
 
Hello,

We have a LDAP server running with TLS enabled and verified we can connect to it from openssl s_client. This works:

$ openssl s_client -connect ldap.foo.com:636 -cert client_tls_cert.pem -key client_tls_key.pem -state -nbio -CAfile ca_chain.pem -showcerts

But ldapsearch throws an error:

$ ldapsearch -d 1 -x -H ldaps://ldap.foo.com:636 ... -ZZ

TLS: during handshake: peer cert is valid, or was ignored if verification disabled (-9841)
TLS: during handshake: Peer certificate is not trusted: kSecTrustResultRecoverableTrustFailure

We followed the instructions given at https://www.openldap.org/doc/admin24/tls.html#Client%20Configuration. We edited /etc/openldap/ldap.conf like so:

TLS_REQCERT demand
TLS_CACERT      ca_chain.pem
TLS_CACERTDIR   /path/to/ca/cert
TLS_CERT        client_tls_cert.pem
TLS_KEY         client_tls_key.pem

The ca_chain.pem file is placed under /path/to/ca/cert. We are running ldapsearch on a Mac. Can anyone help us?

Sid

PS: we do see following on server:

TLS trace: SSL_accept:before SSL initialization
TLS trace: SSL_accept:before SSL initialization
TLS trace: SSL_accept:SSLv3/TLS read client hello
TLS trace: SSL_accept:SSLv3/TLS write server hello
TLS trace: SSL_accept:SSLv3/TLS write certificate
TLS trace: SSL_accept:SSLv3/TLS write key exchange
TLS trace: SSL_accept:SSLv3/TLS write certificate request
TLS trace: SSL_accept:SSLv3/TLS write server done