OpenLDAP: TLS error -8179:Peer's Certificate issuer is not recognized

Question

I'm not familiar with certificates and openldap. I'm trying to port someone elses work from an older OS to CentOS-6 with openldap-2.4.23. On the old OS, an ldap connection worked without issue. Now on CentOS-6, I get the following error when doing a simple bind:

TLS error -8179:Peer's Certificate issuer is not recognized.

My /etc/openldap/ldap.conf has a single line:

TLS_CACERTDIR   /etc/openldap/certs

I tried commenting out that line and putting the following into the file but that didn't change the error message I received.

tls_reqcert allow

I also tried putting only the following line in ldap.conf but that didn't change the error. I tried this based on information found in this question.

LDAPTLS_CACERT  /etc/ssl/certs/ca-bundle.crt

I copied files into the following directories:

/etc/pki/tls/certs/ca.crt

/etc/pki/tls/certs/server.crt

/etc/pki/tls/private/server.key

I have no choice but to use openldap-2.4.23. Any idea what is causing this error or what I can do to troubleshoot?

Thanks in advance. SP

Answer 1

As per http://www.zytrax.com/books/ldap/ch6/ldap-conf.html TLS_CACERT should point to the file containing the CA cert that the client will use to verify the certificate. You need to make sure the your servers CA [The CA that signed your server certificate] is present in the file that TLS_CACERT points to[in your case /etc/ssl/certs/ca-bundle.crt.