Having the same issues, can confirm that adding to /etc/openldap/ldap.conf "TLS_CACERT /var/service/ldap/ssl/slapd.pem" fixes ldapsearch from localhost.
Also by adding to /etc/openldap/ldap.conf "TLS_REQCERT never" on a remote SME 8.1 server also fixes ldapsearch from that host too (-H ldap://... on 389). I guess that copying slapd.pem over and pointing to it with TLS_CACERT would also work.
However I'm having intermitent failures from osTicket's LDAP auth plugin (using NET_LDAP2.php) running on this second server:
2015-06-21 15:12:03.520518500 conn=7565 op=3 STARTTLS
2015-06-21 15:12:03.520518500 conn=7565 op=3 RESULT oid= err=0 text=
2015-06-21 15:12:03.521617500 TLS: can't accept.
2015-06-21 15:12:03.521618500 TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca s3_pkt.c:1092
2015-06-21 15:12:03.521642500 conn=7565 fd=13 closed (TLS negotiation failure)
Am I missing something or these ldap.conf parameters have no effect on mod_php, does the plugin source need LDAPTLS_REQCERT=never added?
Altogether this shouldn't even happen, first server has a valid StartSSL certificate set up, second SME running osTicket has only a self-signed certificate, but that shouldn't matter (TLSVerifyClient=never in slapd.conf).
Did I perhaps bump into this bug
https://bugzilla.redhat.com/show_bug.cgi?id=767832 ?
Relevant osTicket LDAP auth fragment is here:
https://github.com/osTicket/core-plugins/blob/develop/auth-ldap/authentication.phpAny ideeas are welcome.