There are two ways of configuring the CA trust for the OpenLDAP libraries that are used by Keystone:
Method 1:
---------
1 - Copy the file containing your CA certificate chain (in PEM format) to /etc/openldap/certs.
2 - Edit /etc/openldap/ldap.conf and add the following directive:
TLS_CACERT /etc/openldap/certs/<ca file>
Be sure to replace <ca file> with the filename that was chosen for your CA certificate chain.
Method 2:
---------
1 - Use certutil to import and trust your CA certificate chain into the NSS certificate database that is used by the OpenLDAP client libraries:
certutil -d /etc/openldap/certs -A -n "My CA" -t CT,, -a -i <ca file>
Be sure to replace <ca file> with the filename that was chosen for your CA certificate chain.
You can use a more appropriate certificate nickname for the '-n' option. This nickname is used to identity the certificate in the NSS database.
2 - Confirm that the CA certificate was imported correctly:
certutil -d /etc/openldap/certs -L
Your CA certificate should be listed, and the trust attributes should be set to "CT,,".
Please also document how to create the cacert.pem file. It's got a header and a footer, and the contents of the ldap query that obtained the certificate:
-----BEGIN CERTIFICATE-----
MIIDbzCCAlegAwIBAgIQQD14hh1Yz7tPFLXCkKUOszANB....
-----END CERTIFICATE-----
I'd also document the step that checks if ldaps is working, so that users can better troubleshoot their problem if something is not working and they're not sure if the cert file was created correctly or not. Run this query:
LDAPTLS_CACERT=/path/to/cacert.pem ldapsearch -xLLL -ZZ -H $LDAPURL -D "$ADMIN_DN" -w "$ADMINPASSWORD" -s base -b "" "objectclass=*" currenttime
It should return something like:
dn:
currentTime: 20141022050611.0Z