具有 TLS 的 LDAP：连接错误 (-11)

Question

我配置了 OpenLDAP，今天我按照以下准则配置了 TLS 以提高安全性：使用 TLS=required 配置 OpenLDAP

使用配置文件修改 cn=config.ldif：

dn: cn=config
changetype:  modify
add: olcSecurity
olcSecurity: tls=1

和： ldapmodify -Y EXTERNAL -H ldapi:/// -f mod_ssl.ldif

现在，当我尝试创建 时ldapsearch，出现以下错误：

ldap_start_tls: Connect error (-11)
        additional info: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user.
ldap_result: Can't contact LDAP server (-1)

例子：

ldapsearch -Z -x -LLL "(uid=user1)" -d -1

日志最相关的部分：

TLS: error: connect - force handshake failure: errno 2 - moznss error -8172
TLS: can't connect: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user..
ldap_err2string
ldap_start_tls: Connect error (-11)
        additional info: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user.
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_dump: buf=0x7f11c7b6e960 ptr=0x7f11c7b6e960 end=0x7f11c7b6e96e len=14
  0000:  30 0c 02 01 02 60 07 02  01 03 04 00 80 00         0....`........
ber_scanf fmt ({i) ber:
ber_dump: buf=0x7f11c7b6e960 ptr=0x7f11c7b6e965 end=0x7f11c7b6e96e len=9
  0000:  60 07 02 01 03 04 00 80  00                        `........    
ber_flush2: 14 bytes to sd 3
  0000:  30 0c 02 01 02 60 07 02  01 03 04 00 80 00         0....`........
ldap_write: want=14, written=14
  0000:  30 0c 02 01 02 60 07 02  01 03 04 00 80 00         0....`........
ldap_result ld 0x7f11c7add3f0 msgid 2
wait4msg ld 0x7f11c7add3f0 msgid 2 (infinite timeout)
wait4msg continue ld 0x7f11c7add3f0 msgid 2 all 1
** ld 0x7f11c7add3f0 Connections:
* host: localhost  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Wed Feb  4 16:22:56 2015


** ld 0x7f11c7add3f0 Outstanding Requests:
 * msgid 2,  origid 2, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x7f11c7add3f0 request count 1 (abandoned 0)
** ld 0x7f11c7add3f0 Response Queue:
   Empty
  ld 0x7f11c7add3f0 response count 0
ldap_chkResponseList ld 0x7f11c7add3f0 msgid 2 all 1
ldap_chkResponseList returns ld 0x7f11c7add3f0 NULL
ldap_int_select
read1msg: ld 0x7f11c7add3f0 msgid 2 all 1
ber_get_next
ldap_read: want=8, got=0

ber_get_next failed.
ldap_err2string
ldap_result: Can't contact LDAP server (-1)
ldap_free_request (origid 2, msgid 2)
ldap_free_connection 1 1
ldap_free_connection: actually freed