From owner-freebsd-questions@freebsd.org  Tue Nov  3 06:50:09 2015
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7A738A24369
 for <freebsd-questions@mailman.ysv.freebsd.org>;
 Tue,  3 Nov 2015 06:50:09 +0000 (UTC)
 (envelope-from herbert@oslo.ath.cx)
Received: from oslo.ath.cx (oslo.ath.cx [144.76.166.229])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 433D31E50
 for <freebsd-questions@freebsd.org>; Tue,  3 Nov 2015 06:50:08 +0000 (UTC)
 (envelope-from herbert@oslo.ath.cx)
Received: from oslo.ath.cx (localhost [IPv6:::1])
 by oslo.ath.cx (Postfix) with SMTP id 8F5341E8F
 for <freebsd-questions@freebsd.org>; Tue,  3 Nov 2015 07:50:01 +0100 (CET)
Date: Tue, 3 Nov 2015 07:50:01 +0100
From: "Herbert J. Skuhra" <herbert@oslo.ath.cx>
To: freebsd-questions@freebsd.org
Subject: Re: ldapsearch over SSL can not bind
Message-ID: <20151103065001.GA24103@oslo.ath.cx>
References: <20151102162214.GB1775@c720-r276659>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20151102162214.GB1775@c720-r276659>
User-Agent: Mutt/1.5.24+24 (41af5a753d6f) (2015-08-30)
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Nov 2015 06:50:09 -0000

On Mon, Nov 02, 2015 at 05:22:14PM +0100, Matthias Apitz wrote:
> 
> Hello,
> 
> I'm trying to make from FreeBSD a LDAPsearch in some Novell eDirectory
> with the following command:
> 
> $ ldapsearch -Z -H ldaps://romega:1027 -b 'ou=person,o=uni' -D 'cn=XXXXXXXXXX,ou=service,o=uni' -w XXXXXXXXXX
> ldap_start_tls: Can't contact LDAP server (-1)
> 	additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed certificate in certificate chain)
> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

Have you tried the TLS_ vars in ldap.conf(5); eg. TLS_CACERT,
TLS_REQCERT?

-- 
Herbert