Hello,

When I installed OpenLDAP2.3.9 + Open SSL0.9.8c + BerkeleyDB.4.3, and configured the LDAP as Self sign certification,
then run the slapd as "slapd -h "ldaps://:636", yes, the port 636 was open, and in my own client computer, I could use LAT tools to access the LDAP server. But I found a issue made me very confused. Also in my client computer(192.168.123.33), I modify the "/etc/openldap/ldap.conf" as following:

# $OpenLDAP: pkg/ldap/libraries/libldap/ldap.conf,v 1.4.8.6 2000/09/05 17:54:38 kurt Exp $
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE dc=example, dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never

base dc=plasmon,dc=sit
uri ldaps://192.168.123.33:636
ssl on

Then issue the ldapsearch, I got the error messages:

[root@localhost openldap]# ldapsearch -x
ldap_bind: Can't contact LDAP server (-1)
additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

The matter happened here, when I tried to use another client computers which have the same OS as 192.168.123.33, also did I modify the "/etc/openldap/ldap.conf" as the formal text, the other two runs well and the ldapsearch could return the entries from LDAP server.

I've check my own setting for so many times, but I still got the "error:14090086" message.


I added "TLS_REQCERT allow" in "/etc/openldap/ldap.conf" just now, then "ldapsearch -x" could return the entries.
Only this computer has such issue. the other clients do not need add TLS_REOCERT strings.

Would you please give me some advice on how to check and fix this issue?

Any help appreciated.

Thanks and regards,
Phillip