On Thursday, July 28, 2016 8:07:43 AM PDT, Nat Sincheler wrote:
On 7/27/2016 11:19 PM, Ulrich Windl wrote:...Nachricht <991f77f9-fd05-eb9b-7f07-f350c4a7bc68@macrotex.net>: ...% grep -R Certificate *.ldif olcTLSCACertificatePath: /etc/ssl/certs olcTLSCertificateFile: /etc/ssl/certs/server.pem olcTLSCertificateKeyFile: /etc/ssl/private/server.key% directory2:/etc/ldap# openssl verify -CApath /etc/ssl/certs -verbose /etc/ssl/certs/server.pem/etc/ssl/certs/server.pem: OKSo, the openssl command line can find the certificate chain. Why can't openldap?
Of course, the problem is not in OpenLDAP but the SSL library that your build of OpenLDAP is using. The chances are good that your build is using GNUTLS. GNUTLS does not support a CA Certificate Path, you have to put all of the CA cert chain in a single file and use olcTLSCACertificateFile instead.
Bill -- "Can't sing louder than the guns when I'm gone, so I guess I'll have to do it while I'm here." Phil Ochs