The intermediate CA certificate was not included in the certificate file
used by Samba, so LDAP/TLS connections would fail with a trust
validation error.
For reasons that totally elude me, Gitea LDAP authentication suddenly
stopped working, citing an error about not trusting the server's
certificate. I thought this was probably some change in a recent
version of Gitea or Go that changed how the system trust store was used,
but it turned out the problem was actually that Samba was not sending
the intermediate CA certificate. I am not sure if this was always the
case, and the fact that it worked before was a coincidence, or if
something changed in Samba. In any case, the fix was (apparently) to
include the intermediate and root CA certificates in the server
certificate file.
Since the same certificate is used for LDAPS and RADIUS (EAP-TLS), it
makes more sense to store it only once, with the later file as a symlink
to the former.
Dustin