Okay. Egg on my face.
Thank you for the recommendation to build a newer release. Although it didn't end up fixing the issue per se, it forced me to dig further, to conclude that it wasn't related to the OpenLDAP version (I built a newer one) or NSS (I built it against OpenLDAP as well). As it turns out, it ended up being an selinux issue where the process couldn't read the CA cert.
So, it turns out it was my fault, but thank you very much for the driver to look further.
-----Original Message----- From: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Michael Stroder Sent: Wednesday, April 02, 2014 12:03 AM To: Mitchell Im; openldap-technical@openldap.org Subject: Re: LDAPS: ldapsearch working, back-ldap failing?
Mitchell Im wrote:
The OpenLDAP proxy works if it connects to the backend LDAP server via ldap://. The OpenLDAP proxy does *not* work if it connects to the backend LDAP server via ldaps://, though. What am I missing?
This is on CentOS 6.5, packages openldap-servers-2.4.23-34.el6_5.1.x86_64, nss-3.15.3-6.el6_5.x86_64 (Red Hat's decision).
I vaguely remember a bug in this old version regarding TLS CA cert configuration.
Try to set the LDAPTLS_CACERT env var when starting slapd or better use a newer release which has a fix for this.
Ciao, Michael.