genloz - 2010-12-15

I'm having a bit of trouble understanding what's needed for LDAPS and I'm hoping someone can point me in the right direction… or towards some good resources…

On a separate Windows 2003 Server (iisserver) I set up a certificate authority for a self signed certificate.
On our domain controller (domaincontroller) I installed the generated certificate.
the ldp command successfully connects to port 636 on the domain controller.

On the linux web server (centosbox) where I'm running adldap successfully over port 389 to add and remove users from groups etc, I have openssl and openldap installed.

I'm not sure whether I've configured these properly or not.
How do you tell whether the config here is correct? I couldn't find any diagnostic tools and am confused about the two ldap.conf files:

Furthermore there's no sladp.conf file as  many sites on the internet suggest.

When I set up our ldaps source as:

I get a 'cannot bind to ad' error.

The following command produces:
ldapsearch -H "ldaps://domaincontroller" -b "" -s base -Omaxssf=0
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

And the following command:
openssl s_client -connect domaincontroller:636 -debug

Verify return code: 21 (unable to verify the first certificate)

I really think part of my understanding is missing here about how it all works together…

Advice greatly appreciated!!