I have an OpenLDAP server running which I am trying to get to use SSL/TLS. It works without it, but it does not work when I switch on ssl/tls.
getent passwd
returns nothing from the ldap server, and the logs show:
Jun 12 13:23:22 myhost getent: nss_ldap: failed to bind to LDAP server ldaps://ldap.mydomain.com/: Can't contact LDAP server
Jun 12 13:23:22 myhost getent: nss_ldap: could not search LDAP server - Server is unavailable
Jun 12 13:23:22 myhost slapd[31771]: conn=9 fd=15 ACCEPT from IP=x.x.x.x:59963 (IP=
Jun 12 13:23:22 myhost slapd[31771]: conn=9 fd=15 closed (TLS negotiation failure)
I have set these options in ldap.conf for the nss/pam ldap modules
tls_checkpeer yes
tls_ciphers HIGH
ssl yes
tls_cacert /etc/openldap/cacerts/slapd.cert
and I have the following options in slapd.conf:
TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
TLSCertificateFile /etc/pki/tls/certs/slapd.cert
TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem
I don't think that increasing debugging in slapd will help as it looks like it's the client nss and pam ldap modules that are failing to verify the certificate. Setting
tls_checkpeer no
allows the getent to work, but of course this is insecure...

The cert file and pem file are there with the right permissions, and I am testing this from the same server that slapd is running from right now, so the cacert mentioned in the ldap.conf file is there on the local filesystem too and I copied it to the right path...

So my question is, how do I go about debugging this? I cannot see any more logging information or options to increase logging for the pam/nss modules... and I don't know much about openssl in general (I know I should but I've always hated it)