Hi,
Having just updated our SSL certificates on our OpenLDAP server led us to review the contents of our "bundle" file referenced in "olcTLSCACertificateFile".
According to the documentation at: https://www.openldap.org/doc/admin24/tls.html it states "This directive specifies the PEM-format file containing certificates for the CA's that slapd will trust. The certificate for the CA that signed the server certificate must be included among these certificates. If the signing CA was not a top-level (root) CA, certificates for the entire sequence of CA's from the signing CA to the top-level CA should be present. Multiple certificates are simply appended to the file; the order is not significant."
However based on our understanding of how SSL works we should only actually need the intermediate(s) in there as the client should have the root and then compare the intermediate provided by the server and only trust it if it can use this in conjunction with it's copy of the root certificate to complete the chain of trust.
Based on this we configure our web servers to only have the intermediate(s) in their chain (and in fact SSL Labs marks you down if you have the root in there too).
Of course we do realise LDAP is not HTTP!
We're running OpenLDAP 2.4.47 linked against OpenSSL on Scientific Linux 7.5.
Kind regards, Mark