Howard Chu wrote: >>> My thinking is that this somehow has something to do with the >>> TLS_CACERT >>> in /etc/openldap/ldap.conf (the certificate for the client). >>> >>> >>> >> >> In general most folk don't need client certs, but AFAIK the openldap >> ldapsearch _requires_ that you present a client cert. >> > > > Wrong. Client certs are only needed if you want to do > certificate-based client authentication, and the default settings do > not require them. That's good to know. I remember spending a few days trying to persuade OL to do a non-cert-based-auth connection and ultimately failing, but I'm pleased to hear that it can. > Of course, the TLS_CACERT directive, as the name suggests, is for > setting the path to the CA cert, and by default it *is* required. I > think your terminology is imprecise here, so that may be confusing the > issue. Yes, I was reading the OP's description: 'certificate for the client', and not the config directive name which as you point out was actually for the CA cert.
