how to force openssl command to read ldap.conf by default?

[natadecoco]

Hi,

I'm stuck with this openssl problem for a week... What I'm trying to do is to enable SSL via Open Directory. Here is what I did so far:



- Exported self-signed root certificate authority and certificate from server in .csr format, renamed to .pem and imported this CA in client machine via Keychain Access App. (later also copied to /etc/openldap/mycert)

- At Terminal window I entered: <openssl s_client -connect aaa.example.com:636 -showcert"> and copied the server certificate that begin with "----BEGIN CERTIFICATE----", pasted on Textedit and saved it with a name "mycert.pem".

- under /etc/openldap I created mycert directory and pasted those two pem file mentioned above, and rehashed with command <sudo c_rehash> and it created link files that have a .0 extension.

- at this moment I redo <openssl s_client -connect aaa.example.com:636 -CApath /etc/openldap/mycert> and it returns "Verify return code: 0 (ok)".

- I thought everything's fine so I modified /etc/openldap/ldap.conf and added the line "TLS_CACERTDIR /etc/openldap/mycert", so that I run again openssl command without -CAPath and then it returned "Verify return code: 21 (unable to verify the first certificate)". What's wrong here...?

- when I run the command <ldapsearch -V -x -H ldaps://aaa.example.com:636 -b "dc=aaa,dc=example,dc=com"> it returns "result: 0 success". I also opened Directory Utility and double clicked LDAPv3 in the Services tab, and ticked "SSL" box. It seemed that everything went well, but when I restart my iMac/Macbook, at the login window it doesn't show available directory network anymore (without SSL works fine).



my enviroment is:
Intel imac 24 late 2006 - snow leopard 10.6.8 Server,
Intel imac 27 late 2009 - snow leopard 10.6.8,
macbook pro Intel 2011 - snow leopard 10.6.8.

If anyone knows how to force openssl to real properly ldap.conf file, or knows how to fix this problem, please answer me. Thanks!