We have a LDAP server running with TLS enabled and verified we can connect to it from openssl s_client. This works:
$ openssl s_client -connect ldap.foo.com:636 -cert client_tls_cert.pem -key client_tls_key.pem -state -nbio -CAfile ca_chain.pem -showcerts
But ldapsearch throws an error:
$ ldapsearch -d 1 -x -H ldaps://ldap.foo.com:636 ... -ZZ
TLS: during handshake: peer cert is valid, or was ignored if verification disabled (-9841)
TLS: during handshake: Peer certificate is not trusted: kSecTrustResultRecoverableTrustFailure
TLS_REQCERT demand
TLS_CACERT ca_chain.pem
TLS_CACERTDIR /path/to/ca/cert
TLS_CERT client_tls_cert.pem
TLS_KEY client_tls_key.pem
The ca_chain.pem file is placed under /path/to/ca/cert. We are running ldapsearch on a Mac. Can anyone help us?
Sid
PS: we do see following on server:
TLS trace: SSL_accept:before SSL initialization
TLS trace: SSL_accept:before SSL initialization
TLS trace: SSL_accept:SSLv3/TLS read client hello
TLS trace: SSL_accept:SSLv3/TLS write server hello
TLS trace: SSL_accept:SSLv3/TLS write certificate
TLS trace: SSL_accept:SSLv3/TLS write key exchange
TLS trace: SSL_accept:SSLv3/TLS write certificate request
TLS trace: SSL_accept:SSLv3/TLS write server done