I have just this afternoon committed the support for the TLSCACertPath. If you pull the latest version of libldap/tls.c from CVS you'll get it. (But in general, you are of course welcome to fix/write anything you wish.)
As for the unknown CA problem, you need to configure your LDAP clients to use the certs as well. It looks like you have only configured slapd so far.
You probably need to add this TLS_CACERT /usr/local/openldap/etc/certs/CA_pubkey.pem) to your /usr/local/openldap/etc/ldap.conf file.
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
http://www.symas.com http://highlandsun.com/hyc
Symas: Premier OpenSource Development and Support
-----Original Message----- From: Tarassov Vadim [mailto:Vadim.Tarassov@winterthur.ch] Sent: Friday, June 14, 2002 4:31 AM To: 'Howard Chu'; Tarassov Vadim; OpenLDAP-software@OpenLDAP.org Subject: AW: unknown CA
Hallo Howard,
Do you mind if I will fix it? And look, I believe there is something wrong with
openldap 2.1.2, openssl 1.9.6d
if build together on solaris 2.6 with forte 6 update 1. I was struggling few hours with those fancy error messages I've described before, but could not find anything besides of the fact that s_client and s_server do work well with the same certificates. Thus, I will have to investigate this problem. I will inform you regardless to if I will have success or not.
Cheers, Vadim Tarassov.