Hi, I'm having some troubles with openldap w/ TLS.  
I can't seem to do a ldapsearch -x -LLL -ZZ, as it is giving be back
  "SSL3_GET_SERVER_CERTIFICATE:certificate verify failed"
On the server side log I'm getting:
   TLS trace: SSL3 alert read: fatal:unknown CA
   TLS trace: SSL_accept:failed in SSLv3 read client certificate A
   TLS: can't accept
   TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca s3_pkt.c:1053


I've tried and tested my ssl connection using:
   openssl s_client -connect ldap1.mylan:636 -showcerts -state -CAfile /usr/local/etc/openldap/cacert.pem
and that works, althought if I use "TLSVerifyClient demand" in slapd.conf, the server will reject the connection
saying that the client didn't send the certificate.  
 
I also tried the client authentication ssl test and the works w/ and w/o the TLSVerifyClient demand option:
   openssl s_client -connect ldap1.mylan:636 -state \
   -CAfile /usr/local/etc/openldap/cacert.pem \
   -cert /usr/local/etc/openldap/slapd-cert-ldap1.pem \
  -key /usr/local/etc/openldap/slapd-key-ldap1.pem

Does any know what i'm doing wrong?

Here are the tls part of my configs:
slapd.conf
....
#TLS SSL keys
TLSCipherSuite HIGH:MEDIUM:+TLSv1:+SSLv2:SSLv3
TLSCACertificateFile /usr/local/etc/openldap/cacert.pem
TLSCertificateFile /usr/local/etc/openldap/slapd-cert-ldap1.pem
TLSCertificateKeyFile /usr/local/etc/openldap/slapd-key-ldap1.pem
#TLSVerifyClient demand
....


ldap.conf

BASE        dc=mylan
HOST        ldap1.mylan
#URI        ldaps://127.0.0.1:636
TLS_CACERT        /usr/local/etc/openldap/cacert.pem
.....

/etc/ldap.conf

# network or connect timeouts (see bind_timelimit).
host 127.0.0.1

# The distinguished name of the search base.
#base dc=caplan,dc=org
base dc=mylan

# Another way to specify your LDAP server is to provide an
# uri with the server name. This allows to use
# Unix Domain Sockets to connect to a local LDAP Server.
host ldap1.mylan
#uri ldap://127.0.0.1/
#uri ldap://127.0.0.1/ ldaps://127.0.0.1/  
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator

# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3

# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
#binddn cn=NonAnon,dc=caplan,dc=org

# The credentials to bind with.
# Optional: default is no credential.
#bindpw SeCrEt

# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/ldap.secret (mode 600)
#rootbinddn cn=root,dc=padl,dc=com

# The port.
# Optional: default is 389.
port 389
..
...
..

# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
ssl start_tls
#ssl on

# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is to use libldap's default behavior, which can be configured in
# /etc/openldap/ldap.conf using the TLS_REQCERT setting.  The default for
# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
tls_checkpeer yes

# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes"
#tls_cacertfile /etc/ssl/ca.cert
#tls_cacertdir /etc/ssl/certs
tls_cacertfile /usr/local/etc/openldap/cacert.pem

# Seed the PRNG if /dev/urandom is not provided
#tls_randfile /var/run/egd-pool

# SSL cipher suite
# See man ciphers for syntax
#tls_ciphers TLSv1

# Client certificate and key
# Use these, if your server requires client authentication.
#tls_cert
#tls_key



Thanks,
Vinh