Hi: When I use SSL authentication in LDAP client, If I set the "TLSVerifyClient demand" on openldap server side, then I'll got below error
(set TLSVerifyClient as never/allow/try, I can login, but will have authentication failure in LDAP log) LS trace: SSL3 alert write:fatal:handshake failure TLS trace: SSL_accept:error in SSLv3 read client certificate B TLS trace: SSL_accept:error in SSLv3 read client certificate B TLS: can't accept: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate. 527b9a89 connection_read(16): TLS accept failure error=-1 id=1028, closing 527b9a89 connection_close: conn=1028 sd=16 Server config: TLSCipherSuite HIGH:MEDIUM:+SSLv2:+SSLv3 TLSCACertificateFile /opt/etc/openldap/cert/CA.crt TLSCertificateFile /opt/etc/openldap/cert/ldap1.test.com.crt TLSCertificateKeyFile /opt/etc/openldap/cert/ldap1.test.com.key TLSVerifyClient demand Client config: uri ldaps://ldap1.test.com:636 bind_policy soft ldap_version 3 base dc=test,dc=com TLS_CACERT /opt/etc/openldap/CA.crt TLS_CERT /opt/etc/openldap/ldap1.test.com.crt TLS_KEY /opt/etc/openldap/ldap1.test.com.key TLS_REQCERT demand Any idea from you?
