How to setup LDAP

I have several computers on a small network that I recently upgraded from 11.2 to 13.1. Previously I was using LDAP, without TLS, to maintain the users and passwords. After the upgrade I am trying to recreate the database but I always and getting connection problems. From what I’ve been able to figure out, somewhere along the way between 11.2 and 13.1 they made it mandatory for LDAP clients to connect to the server using TLS/SSL even if you uncheck the box in the YaST ldap client module. I’ve tried two things:
First, I tried to setup TLS/SSL certificates following the instructions at

and at

Depending on how I have the configuration setup it either gives me error

error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed certificate)

or it says something about “hostname does not match CN in peer certificate”.
Second, I tried to patch up the client to work without TLS using the instructions at

That just plain didn’t work. It made the computer take forever to boot and login and still wouldn’t let me become one of the LDAP users.
Also, the very first symptom that I noticed on these computer is that if I have a bash shell up as root I can su to an LDAP user, but if I’m a local user and I try to su to an LDAP user it says something about “unable to authenticate”. So it sees the server and knows that the user exists, but it isn’t talking right.
Right now, the computer I am working on is both the LDAP server and a client. Once I get it working on this machine I’ll duplicate the configuration to the other computers.
Honestly if anyone could point me to a current manual on how to install LDAP or configure certificates that would be appreciated. Everything I have been able to find is mostly out of date. For instance I’ve found things that say to edit slapd.conf, but it isn’t being used anymore because the settings are stored in a back-end database.
Thanks for your help.

openSUSE offers a default /etc/openldap/ldap.conf file where you should configure a server and /etc/ldap.conf for configuring the client; you should be able to change the cn entry to match the certificate.

I got it back to the place where it give me the CN error. I ran:

openssl genrsa -out /etc/pki/trust/anchors/private.pem 2048
openssl req -new -x509 -key /etc/pki/trust/anchors/private.pem -out /etc/pki/trust/anchors/yoda.pem -days 1095

When the “openssl req” command asked for the CN I entered “yoda.mei”
Then I started up the yast ldap server module and pointed it to the new certificate.
I added the line “cn yoda.mei” to /etc/openldap/ldap.conf and restarted the ldap service.
I copied the yoda.pem file to a common area, opened the yast ldap client module, and pointed it to the new certificate. It gives me the error

TLS: hostname does not match CN in peer certificate

I think I’m either entering the wrong thing for the CN or I’m using the wrong syntax in the ldap.conf file or both.

cn stands for common name or canonical name; “yoda.mei” doesn’t seem at first sight to fit that description.
I would assume that hostname refers to the site where the server is running, either /etc/HOSTNAME or a website.

That worked, thanks!
/etc/HOSTNAME says “yoda” so I re-ran all the steps from before, but entered “yoda” instead of “yoda.mei”. I accidentally forgot to update the cn entry in the ldap.conf file and it started giving me the self-signed error, but after fixing that it started working with no issues.