Fixed the SSL issue by adding the server cert to the mac's keychain and "trusting" it.

See:  http://people.ivec.uwa.edu.au/ashley.chew/fedora-ds/fedora-ds-26072006.html

The above procedure is a bit old, but the general idea works for Mac OS 10.10.

On 8/19/16 10:59 AM, Janet Houser wrote:
Hi folks,

I've been using 389-ds for about 6 months and have successfully configured various linux systems as LDAP clients (CentOS, Ubuntu, openSUSE, etc.).

I'm now trying to connect a Mac system (OS X 10.10) into the LDAP server and I'm getting a strange error. 

From Users & Groups, when I "Join" a "Network Account Server" and enter the FQDN of my 389-ds server, I'm given the message:

         "This server does not provide a secure (SSL) connection.   Do you want to continue?"

I've selected "yes" and moved forward with LDAPv3 with LDAP Mappings set to  RFC2307.

Using the mac dscl command, I can query users from the command line using:

             dscl     /LDAPv3/FQDN_of_server    -read     Users/testuser

In the 389 Management Console, under "Encryption", I have "Enable SSL for this server" and set "Allow client authentication".
The postfix groups I created resolve properly, and changing a test file to a specific uid / gid   will resolve properly to the name/group of
a user in the 389-ds database.

However, when a user tries to change their password, it fails with a generic "general failure" message.   The access log
on the 389-ds ldap server shows the following for the connection:

CONNECT fd=113 slot=113 connection from xxx.xx.xx.218 to xxx.xx.xx.4
EXT oid='" name = "startTLS"
RESULT err=0 tag=120 nentries=0 etime=0
DISCONNECT fd=113 closed - Encountered end of file

I believe the inability to change a user's password is link to the fact that the mac isn't speaking to the LDAP server using SSL,
but I'm not sure what I'm missing in the server configuration to allow the Mac to connect via SSL.

Any hints would be appreciated.