make sure that the Ambari Server trusts the certificate that the LDAP server is using. One quick way to get that certificate directly is to use openssl to retrieve that certificate from the LDAP server, and then explicitly add it to a new keystore:
$ openssl s_client -showcerts -connect ldapserver.domain.com:636
You'll see the certificate printed in STDOUT, just look for BEGIN CERTIFICATE.
You will need to grab the entire certificate including the ----BEGIN and END ---- text, and save it to a file. In this case we'll call it ldap.cert.
Once this has been done you can follow 1.2.(1-3) steps in the doc to create a new JKS keystore and import that certificate to ensure that it's trusted by Ambari: http://docs.hortonworks.com/HDPDocuments/Ambari-2.1.2.1/bk_Ambari_Security_Guide/content/_configure_...
Now you've got a JKS keystore with that certificate in it, you can tell Ambari to use that when connecting to your LDAP server using SSL by re-running the ambari-server setup-ldap. Just make sure you answer correctly for:
- Use SSL=true
- TrustStore type=jks
- Path to TrustStore file=/etc/ambari-server/keys/ldaps-keystore.jks
- Password for TrustStore={{ what you typed in step 1.2.3 }}
