The openssl binaries in the 2.5 RPMs use their own build of openssl,
which doesn't appear to be configured to trust the system root
certificate store:
$ ldapsearch -H ldaps://ldap.cpp.edu/
ldap_sasl_interactive_bind: Can't contact LDAP server (-1)
additional info: error:1416F086:SSL
routines:tls_process_server_certificate:certificate verify
failed (self signed certificate in certificate chain)
It works fine if you explicitly tell it to:
SSL_CERT_FILE=/etc/pki/tls/cert.pem ldapsearch -x -H ldaps://ldap.cpp.edu/
# extended LDIF
[...]
Is this intentional? It seems it would be useful for the openldap
utilities, which are added to the default search path, to support the
standard system root CA's.
Thanks...
