OpenLDAP as a ldap->ldaps proxy for apache to AD

[Don Wood <donald.j.wood@gmail.com>]

Hello,

I am having trouble setting up OpenLDAP as a ldap->ldaps proxy for
apache to AD authentication.  The proxy is running on debian sarge and
I am using the standard packages.

I can see Apache connecting to OpenLDAP, and OpenLDAP connecting to
the AD server, but it appears that there are errors in the bind phase
for the SSL connection.

When I run "slapd -d 16383" I get the below messages in the dump.

TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 2, err: 20, subject: /O=RSA
Security Inc./CN=RSA Public Root CA
v1/emailAddress=rsakeonrootsign@rsasecurity.com, issuer: /L=ValiCert
Validation Network/O=ValiCert, Inc./OU=ValiCert Class 3 Policy
Validation Authority/CN=http://www.valicert.com//emailAddress=info@valicert.com
TLS certificate verification: Error, unable to get local issuer certificate

In slapd.conf I did not do any certificate configuration, as appache
will not be connecting with SSL.  OpenLDAP runs as root, so all of my
SSL configuration is in ~root/.ldaprc.  Am I understanding correctly
that this is how it should be done.  I have double-checked the paths
to the cert files, and they are all PEM encoded.  I also know the
files are valid because Apache is using them for server authentication
to the client.

Here are what I believe to be the applicable lines from my configuration.

/etc/ldap/slapd.conf
database       ldap
suffix         "ou=people,dc=dir,dc=svc,dc=DOMAIN,dc=com"
uri            "ldaps://AD_SERVER.DOMAIN.com:636"

~~root/.ldaprc
TLS_CACERT /opt/cert/SSLchain.pem
TLS_CERT /opt/cert/host.domain.com.crt
TLS_KEY /opt/cert/host.domain.com.key
TLS_REQCERT demand

Not sure what I'm missing, but I'm new to OpenLDAP so it could be
something basic.  (I have checked the man pages, other docs,  and
searched the mailing lists.)