Hello experts,

I setup an openLDAP server some time ago and am to create a newer server for TLS 1.3 support.
I am using a fully patched CentOS 7 server with OpenLDAP 2.4.44 and am seeing 'invalid DN' when authenticating to the server from my Linux client.
I will attempt to supply all the config and tests I have done thus far:

########################################
ldap.conf:

#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE    dc=openldapsec,dc=brm,dc=acslab,dc=wokyourdog,dc=net
URI     ldap://openldapsec.brm.acslab.wokyourdog.net

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never

TLSCipherSuite        HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
TLS_CACERTDIR /etc/openldap/certs
TLS_CACERT /etc/openldap/certs/RootCA.pem
TLSCACertificateFile /etc/openldap/certs/RootCA.pem
TLSCertificateFile /etc/openldap/certs/Identity.pem
TLSCertificateKeyFile /etc/openldap/certs/Identity.key
TLSVerifyClient       never

# Turning this off breaks GSSAPI used with krb5 when rdns = false
SASL_NOCANON    on

########################################
slapd.conf

# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include     /etc/openldap/schema/core.schema
include     /etc/openldap/schema/cosine.schema
include     /etc/openldap/schema/inetorgperson.schema
include     /etc/openldap/schema/nis.schema

# Added for policy
include     /etc/openldap/schema/ppolicy.schema

# Allow LDAPv2 client connections.  This is NOT the default.
allow bind_v2
 
pidfile     /var/run/openldap/slapd.pid
argsfile    /var/run/openldap/slapd.args

moduleload ppolicy.la
 
# The next three lines allow use of TLS for encrypting connections using a
# dummy test certificate which you can generate by changing to
# /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on
# slapd.pem so that the ldap user or group can read it.  Your client software
# may balk at self-signed certificates, however.
TLSCACertificateFile /etc/openldap/certs/RootCA.pem
TLSCertificateFile /etc/openldap/certs/Identity.pem
TLSCertificateKeyFile /etc/openldap/certs/Identity.key

database    bdb
suffix      "dc=openldapsec,dc=brm,dc=acslab,dc=wokyourdog,dc=net"
rootdn      "cn=root,dc=openldapsec,dc=brm,dc=acslab,dc=wokyourdog,dc=net"
rootpw      {SSHA}C6RcppHr0rweEVCQW6pio6tnPCIHCGnt
 
# PPolicy Configuration
overlay ppolicy
ppolicy_default "cn=default,ou=policies,dc=openldapsec,dc=brm,dc=acslab,dc=wokyourdog,dc=net"
ppolicy_use_lockout
ppolicy_hash_cleartext

# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory   /var/lib/ldap
 
# Indices to maintain for this database
index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub

########################################
ldapsearch output:

[root@OpenLDAP_Server openldap]# ldapsearch -H ldap://openldapsec.brm.acslab.wokyourdog.net -D "cn=root,dc=openldapsec,dc=brm,dc=acslab,dc=wokyourdog,dc=net" -w Siladmin123 -ZZ
# extended LDIF
#
# LDAPv3
# base <dc=openldapsec,dc=brm,dc=acslab,dc=wokyourdog,dc=net> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# openldapsec.brm.acslab.wokyourdog.net
dn: dc=openldapsec,dc=brm,dc=acslab,dc=wokyourdog,dc=net
dc: openldapsec
objectClass: top
objectClass: domain

# people, openldapsec.brm.acslab.wokyourdog.net
dn: ou=people,dc=openldapsec,dc=brm,dc=acslab,dc=wokyourdog,dc=net
objectClass: top
objectClass: organizationalUnit
ou: people

# swadmin3, openldapsec.brm.acslab.wokyourdog.net
dn: cn=swadmin3,dc=openldapsec,dc=brm,dc=acslab,dc=wokyourdog,dc=net
objectClass: person
objectClass: uidObject
cn: swadmin3
sn: admin user
uid: swadmin3
userPassword:: e1NTSEF9WDdRQ2xzallYUDUvWU9sZnJyc3ZWVXhnS0xkbXB2U1o=

# search result
search: 3
result: 0 Success

# numResponses: 4
# numEntries: 3


########################################
ldapwhoami

[root@OpenLDAP_Server openldap]# ldapwhoami -vvv -h openldapsec.brm.acslab.wokyourdog.net -p 389 -D "cn=swadmin3,dc=openldapsec,dc=brm,dc=acslab,dc=wokyourdog,dc=net" -x -w Siladmin123
ldap_initialize( ldap://openldapsec.brm.acslab.wokyourdog.net:389 )
dn:cn=swadmin3,dc=openldapsec,dc=brm,dc=acslab,dc=wokyourdog,dc=net
Result: Success (0)


########################################
client authentication failure logs

ber_dump: buf=0x7fe684117870 ptr=0x7fe684117870 end=0x7fe68411788d len=29
  0000:  02 01 01 77 18 80 16 31  2e 33 2e 36 2e 31 2e 34   ...w...1.3.6.1.4  
  0010:  2e 31 2e 31 34 36 36 2e  32 30 30 33 37            .1.1466.20037    
ber_dump: buf=0x7fe684117870 ptr=0x7fe684117873 end=0x7fe68411788d len=26
  0000:  77 18 80 16 31 2e 33 2e  36 2e 31 2e 34 2e 31 2e   w...1.3.6.1.4.1.  
  0010:  31 34 36 36 2e 32 30 30  33 37                     1466.20037        
  0000:  30 0c 02 01 01 78 07 0a  01 00 04 00 04 00         0....x........    
ber_dump: buf=0x7fe684115be0 ptr=0x7fe684115be0 end=0x7fe684115c23 len=67
  0000:  02 01 02 60 3e 02 01 03  04 2c 73 77 61 64 6d 69   ...`>....,swadmi  
  0010:  6e 33 40 6f 70 65 6e 6c  64 61 70 73 65 63 2e 62   n3@openldapsec.b  
  0020:  72 6d 2e 62 73 6e 6c 61  62 2e 62 72 6f 61 64 63   rm.acslab.wokyou  
  0030:  6f 6d 2e 6e 65 74 80 0b  53 69 6c 61 64 6d 69 6e   rdog.net..Siladmin  
  0040:  31 32 33                                           123              
ber_dump: buf=0x7fe684115be0 ptr=0x7fe684115be3 end=0x7fe684115c23 len=64
  0000:  60 3e 02 01 03 04 2c 73  77 61 64 6d 69 6e 33 40   `>....,swadmin3@  
  0010:  6f 70 65 6e 6c 64 61 70  73 65 63 2e 62 72 6d 2e   openldapsec.brm.  
  0020:  62 73 6e 6c 61 62 2e 62  72 6f 61 64 63 6f 6d 2e   acslab.wokyourdog.  
  0030:  6e 65 74 80 0b 53 69 6c  61 64 6d 69 6e 31 32 33   net..Siladmin123  
ber_dump: buf=0x7fe684115be0 ptr=0x7fe684115c16 end=0x7fe684115c23 len=13
  0000:  00 0b 53 69 6c 61 64 6d  69 6e 31 32 33            ..Siladmin123    
5d10d347 conn=1048 op=1 do_bind: invalid dn (swadmin3@openldapsec.brm.acslab.wokyourdog.net)
  0000:  30 16 02 01 02 61 11 0a  01 22 04 00 04 0a 69 6e   0....a..."....in  
  0010:  76 61 6c 69 64 20 44 4e                            valid DN          
ber_dump: buf=0x7fe6841171a0 ptr=0x7fe6841171a0 end=0x7fe6841171a5 len=5
  0000:  02 01 03 42 00                                     ...B.            
ber_dump: buf=0x7fe684107eb0 ptr=0x7fe684107eb0 end=0x7fe684107ecd len=29
  0000:  02 01 01 77 18 80 16 31  2e 33 2e 36 2e 31 2e 34   ...w...1.3.6.1.4  
  0010:  2e 31 2e 31 34 36 36 2e  32 30 30 33 37            .1.1466.20037    
ber_dump: buf=0x7fe684107eb0 ptr=0x7fe684107eb3 end=0x7fe684107ecd len=26
  0000:  77 18 80 16 31 2e 33 2e  36 2e 31 2e 34 2e 31 2e   w...1.3.6.1.4.1.  
  0010:  31 34 36 36 2e 32 30 30  33 37                     1466.20037        
  0000:  30 0c 02 01 01 78 07 0a  01 00 04 00 04 00         0....x........    
ber_dump: buf=0x7fe684002250 ptr=0x7fe684002250 end=0x7fe6840022ae len=94
  0000:  02 01 02 60 59 02 01 03  04 47 63 6e 3d 73 77 61   ...`Y....Gcn=swa  
  0010:  64 6d 69 6e 33 2c 63 6e  3d 75 73 65 72 73 2c 64   dmin3,cn=users,d  
  0020:  63 3d 6f 70 65 6e 6c 64  61 70 73 65 63 2c 64 63   c=openldapsec,dc  
  0030:  3d 62 72 6d 2c 64 63 3d  62 73 6e 6c 61 62 2c 64   =brm,dc=acslab,d  
  0040:  63 3d 62 72 6f 61 64 63  6f 6d 2c 64 63 3d 6e 65   c=wokyourdog,dc=ne  
  0050:  74 80 0b 53 69 6c 61 64  6d 69 6e 31 32 33         t..Siladmin123    
ber_dump: buf=0x7fe684002250 ptr=0x7fe684002253 end=0x7fe6840022ae len=91
  0000:  60 59 02 01 03 04 47 63  6e 3d 73 77 61 64 6d 69   `Y....Gcn=swadmi  
  0010:  6e 33 2c 63 6e 3d 75 73  65 72 73 2c 64 63 3d 6f   n3,cn=users,dc=o  
  0020:  70 65 6e 6c 64 61 70 73  65 63 2c 64 63 3d 62 72   penldapsec,dc=br  
  0030:  6d 2c 64 63 3d 62 73 6e  6c 61 62 2c 64 63 3d 62   m,dc=acslab,dc=w  
  0040:  72 6f 61 64 63 6f 6d 2c  64 63 3d 6e 65 74 80 0b   kyourdog,dc=net..  
  0050:  53 69 6c 61 64 6d 69 6e  31 32 33                  Siladmin123      
ber_dump: buf=0x7fe684002250 ptr=0x7fe6840022a1 end=0x7fe6840022ae len=13
  0000:  00 0b 53 69 6c 61 64 6d  69 6e 31 32 33            ..Siladmin123    
  0000:  30 0c 02 01 02 61 07 0a  01 31 04 00 04 00         0....a...1....    
ber_dump: buf=0x7fe684118dd0 ptr=0x7fe684118dd0 end=0x7fe684118dd5 len=5
  0000:  02 01 03 42 00                                     ...B.            

Please let me know if you can see my mis-configuration or if you have any questions about my setup.
 
Thanks,
Chris