At last I found solution!
I turned on debug 9 in /usr/local/etc/nss_ldap.conf and found that
...............
TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 1, err: 0, subject: /C=RU/ST=MSK/L=MSk/O=ORG/OU=IT/CN=ca.domain.com, issuer: /C=RU/ST=MSK/L=MSk/O=ORG/OU=IT/CN=ca.domain.com TLS certificate verification: depth: 0, err: 0, subject: /C=RU/ST=MSK/L=MSK/O=ORG/OU=IT/CN=ldap.domain.com, issuer: /C=RU/ST=MSK/L=MSk/O=ORG/OU=IT/CN=ca.domain.com TLS trace: SSL_connect:SSLv3 read server certificate A TLS trace: SSL_connect:SSLv3 read server done A TLS trace: SSL_connect:SSLv3 write client key exchange A TLS trace: SSL_connect:SSLv3 write change cipher spec A TLS trace: SSL_connect:SSLv3 write finished A TLS trace: SSL_connect:SSLv3 flush data TLS trace: SSL_connect:SSLv3 read finished A TLS: hostname (127.0.0.1) does not match common name in certificate (ldap.domain.com). ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
I set host to ldap.domain.com in nss_ldap and ldap.conf and HURRAY! it work.
So problems, that I found due setting up openldap+tls: 1) CN of CA and ldap servers certificates MUST not be same. 2) variable "host" in nss_ldap.conf and ldap.conf must be exactly same as CN in server certificate. 3) Minimum coniguration of tls in slapd.conf, ldap.conf and nss_ldap.conf: slapd: TLSCertificateFile /usr/local/etc/openldap/ssl/ldap.domain.com.crt TLSCertificateKeyFile /usr/local/etc/openldap/ssl/ldap.domain.com.key TLSCACertificateFile /usr/local/etc/openldap/ssl/root.crt ldap.conf ssl start_tls tls_cacertfile /usr/local/etc/openldap/ssl-client/root.crt # TLS_CACERT not working at all nss_ldap.conf ssl start_tls tls_cacertfile /usr/local/etc/openldap/ssl-client/root.crt
That's all. Thanks to Dieter Klünter and Harald for pointing in reasonable directions!