Joel just posted a great article titled
SSL and LDAP in Leopard about the pitfalls of using SSL secured LDAP servers in Leopard. As Joel mentions, Leopard now refuses to trust any and all SSL protected LDAP servers out of the box.
A few people have complained that Directory.app, and the the LDAPv3 plugin for DirectoryService don't honor the same purchased certificates that work just fine in their web browsers. Nor do they honor certificates signed by authorities listed in the x509Anchors keychain.
I'm not sure exactly where I personally stand on these very reasonable gripes, but I do know that it's relatively trivial to configure all of your clients to honor "legitimate" certificates signed by authorities such as VeriSign, GeoTrust, etc...
It's as simple as:
echo "TLS_CACERT /usr/share/curl/curl-ca-bundle.crt" >> \
/etc/openldap/ldap.conf
You may need to give DirectoryService a kick, with killall DirectoryService.
This works because Apple already distributes a long PEM encoded list of certificate authorities for use with the curl command line utility. We're able to leverage it's trusted certificate store.
Also be warned your Leopard workstations are now slightly more vulnerable than if you were to configure only the certification authorities you need to get your LDAP server trusted.
