Modify the following in the /etc/ldap.conf file:

URI     ldap://ipaserver.example.com
BASE dc=example,dc=com
HOST ipaserver.example.com
TLS_CACERTDIR /etc/cacerts/
TLS_REQCERT allow

On the IPA server, export the CA certificate to ASCII using the certutil utility with the -a option. For example, to export the certificate with the nickname "CA certificate", use the following command:

# certutil -L -d /etc/dirsrv/slapd-INSTANCE -n "CA certificate" -a

If you elected to create a self-signed CA during the installation process, then the CA certificate will be available on the server at http://ipaserver.example.com/ipa/errors/ca.crt

If you installed IPA using your own PKCS#12 files then this self-signed CA will not exist.

Copy this certificate to a temporary directory on the client machine, and install it in the /etc/cacerts directory as follows:

# cp cacert.asc /etc/cacerts/`openssl x509 -noout -hash -in cacert.asc`.0

The resulting file name is the hash of the contents of the certificate with a ".0" extension.

If the TLS_CACERTDIR directive does not work, set the cacert file directly:

# TLS_CACERT /etc/cacerts/cacert.asc

If more than one CA certificate is required, concatenate these certificates into a single file.

Log in to the client machine, and become the root user.

Change to the directory where you need to install the CA certificate.

cd /etc/cacerts

Run the following command to copy the CA certificate from the server to the client:

wget http://ipaserver.example.com/ipa/errors/ca.crt

After you have copied the certificate, install it as described previously.