TLS with OpenLDAP
I just had a battle with OpenLDAP about TLS, and I lost miserably.
If you search google for this error, you will get a lot of hits and almost no intelligent answers:
ldap_start_tls: Connect error (-11)
additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
My certificates are perfectly valid certificates, signed by my own CA (not precisely self-signed, but you'd have the same problem with those). OpenLDAP clients apparently default (at least on RHEL, SLES, and Debian) to require that LDAP server certificates be valid, including the "check against my local copy of the CA cert" step.
There's two ways to get it to work, and they are both options that go in your
ldap.conf file: TLS_REQCERT and TLS_CACERT. See the OpenLDAP
Administrator's Guide for more
information.
And a word to the wise: don't set your RHEL system that is authenticating with LDAP to require TLS and then log out, until you've verified that it actually is working. Why RHEL won't let root log in if LDAP isn't working is a bug I still have to chase down, but it's sure made my afternoon stressful.