Arbitrary Root CA works for TLS/SSL verification

My /etc/openldap/ldap.conf file include the following,

#TLS_CACERT /etc/pki/CA/certs/chain2root.pem #TLS_CACERT /etc/openldap/cacerts/fc5a8fxx.0 TLS_REQCERT demand

The two CAs are from different signers, but "ldapwhoami -x -ZZ" will output Anonymous (means TLS/SSL is working) when one of the two TLS_CACERT lines is uncommented. Actually the first is the right one, I just didn't expect that the second one also work.

If both are commented, I get the following error,

ldap_start_tls: Connect error (-11)     additional info: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (self signed certificate in certificate chain)

Can someone help me to understand what's wrong?

Dalton