The HOWTOs I used were:
The most annoying thing about openldap is that pretty much every bit of advice and howto on the Internet is for the old version that uses slapd.conf. In the new version (2.4) everything is stored in the LDAP database in ldif itself. So where is the advice about how to add the TLS config directives? Nowhere! Not only that, but ldapadd and ldapmodify are really difficult to use, with poor error messages if you screw up your ldif syntax.
You need to write a file tls_ldap.ldif:
dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/ssl/demoCA/cacert.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/ssl/servercrt.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/ssl/serverkey.pem
Then run:
sudo ldapmodify -f tls_config.ldif -D cn=admin,cn=config -x -y /etc/ldap.secret
This assumes that the admin password is stored in /etc/ldap.secret - this is how the debian package installs ldap. Most advice on the internet tells you to look in slapd.conf for rootpw - retarded. Interestingly, after I disabled regular ldap in favour of ldaps below, I couldn't use ldapmodify anymore, even when I specified ldaps:// with the -H parameter. Had to re-enable regular ldap, run the command then turn it off again.
Add the following line to /etc/default/slapd (if you only want SSL then just use ldaps):
SLAPD_SERVICES="ldap:/// ldaps:///"
Restart slapd.
On the client you need to copy over the cacert, and add these lines to /etc/ldap.conf:
uri ldaps://myserver.fqdn.com/
tls_cacertfile /etc/ssl/ldapcacert.pem
tls_checkpeer no
I had to turn off tls_checkpeer, even though this shouldn't be necessary. The server wasn't giving any error logs, until I ran it manually in super debug mode:
sudo slapd -d -1 -g openldap -u openldap -h ldaps:/// -F /etc/ldap/slapd.d/
When it gave "unable to get TLS client DN". I figured out what the problem was: I was just using "myserver" in the URI, instead of the FQDN in the certificate. So make sure you put the same domain in your ldaps uri as appears in your certificate (should be fully qualified like "myserver.fqdn.com").