ldap_result: Can't contact LDAP server (-1)

Solution 1:

STARTTLS means "explicit TLS" where the connection is established on regular port and then STARTTLS command is sent to initiate SSL handshake and switch to protection mode.

To connect try add -Z or -ZZ switch to ldapsearch:

ldapsearch -x -d 1 -ZZ

is to get the client to use starttls

I am afraid OpenSSL does not support starttls for LDAP protocol now (see man page man s_client about -starttls parameter)

Solution 2:

Just to be clear about it: Did you configure the TLS usage in the OpenLDAP server?

You still need to set a few parameters. For reference, please check http://www.openldap.org/doc/admin24/tls.html#Server%20Configuration

From my understanding your client connects to the LDAP machine, but the LDAP machine does not know which certificate to deliver to the client.

Could you please verify or falsify my guess?