Vinh,
I believe that you have some problem with certificates. Did you use the private/public pair certificate in server/client ldap machines ? Be sure to copy /etc/openldap/cacerts/cacert.pem file from server (public certificate file) to your ldap client machine.
On your LDAP Serer slapd.conf file
slapd.conf .... #TLS SSL keys TLSCipherSuite HIGH:MEDIUM:+TLSv1:+SSLv2:SSLv3 <== You dn´t need to
specify this
TLSCACertificateFile /usr/local/etc/openldap/cacert.pem TLSCertificateFile /usr/local/etc/openldap/slapd-cert-ldap1.pem TLSCertificateKeyFile /usr/local/etc/openldap/slapd-key-ldap1.pem #TLSVerifyClient demand ....
I am using this ldap.conf on client machine
####################################################### # file: /etc/ldap.conf # by: Gustavo Mendes de Carvalho # when: jan/2008 ####################################################### host ldap_server base ou=OrgUnit,o=Org,c=country uri ldaps://ldap_server/ ldap_version 3 port 636 timelimit 120 bind_timelimit 120 idle_timelimit 3600 pam_password md5 ssl on tls_checkpeer yes tls_cacertfile /etc/openldap/cacerts/cacert.pem tls_cacertdir /etc/openldap/cacerts tls_reqcert never tls_ciphers TLSv1
And this ldap.conf file
####################################################### # file: /etc/openldap/ldap.conf # by: Gustavo Mendes de Carvalho # when: jan/2008 #######################################################
URI ldaps://ldap_server:636 HOST ldap_server BASE ou=OrgUnit,o=Org,c=country TLS_CACERTDIR /etc/openldap/cacerts TLS_REQCERT never
I can guarantee that you will have all traffic encrypted. Put some sniffer there and you can see it.
--- Gustavo Mendes de Carvalho email: gmcarvalho@gmail.com