I would start by verifying the certificate as follows.
How to troubleshoot LDAP over SSL connection problems
http://support.microsoft.com/kb/938703
Step 1: Verify the Server Authentication certificate
Make sure that the Server Authentication certificate that you use meets the following requirements:
Step 2: Verify the Client Authentication certificate
In some cases, LDAPS uses a Client Authentication certificate if it is available on the client computer. If such a certificate is available, make sure that the certificate meets the following requirements:
Step 3: Check for multiple SSL certificates
Determine whether multiple SSL certificates meet the requirements that are described in step 1. Schannel (the Microsoft SSL provider) selects the first valid certificate that Schannel finds in the Local Computer store. If multiple valid certificates are available in the Local Computer store, Schannel may not select the correct certificate. A conflict with a certification authority (CA) certificate may occur if the CA is installed on a domain controller that you are trying to access through LDAPS.
Step 4: Verify the LDAPS connection on the server
Use the Ldp.exe tool on the domain controller to try to connect to the server by using port 636. If you cannot connect to the server by using port 636, see the errors that Ldp.exe generates. Also, view the Event Viewer logs to find errors. For more information about how to use Ldp.exe to connect to port 636, click the following article number to view the article in the Microsoft Knowledge Base:
321051 How to enable LDAP over SSL with a third-party certification authority
http://support.microsoft.com/kb/321051
Step 5: Enable Schannel logging
Enable Schannel event logging on the server and on the client computer. For more information about how to enable Schannel event logging, click the following article number to view the article in the Microsoft Knowledge Base:
260729 How to enable Schannel event logging in IIS
http://support.microsoft.com/kb/260729
Your clients don't need their own certificate. They just need to trust the Certificate Authority certificate (or certificate chain) that signed the LDAP server's certificate. You didn't need to worry about this on the localhost because the CA certificate was already trusted by default.
It's not clear from your question whether the LDAP server is also the Certificate Authority and whether it is using the CA certificate as the LDAP certificate as well. Normally, these are two different certificates and the Certificate Authority lives on a different machine.
Some quick google'ing indicates there's an option you can set in the ldap.conf called TLS_CACERT or an equivalent environment variable called LDAPTLS_CACERT that you can point to a file containing any/all CA certificates in your environment (base64 encoded).
If you only have a single CA in your environment, you should be able to download a base64 encoded version of its public certificate. And if you can only find a DER encoded version, you can use openssl to convert it to base64.
openssl x509 -inform der -in cacert.crt -out cacert.pem
Best Answer
Try using the
-z
flag. If it has it.So try this