Full_Name: Philip Guenther Version: 2.4.39 OS: OpenBSD URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (76.253.0.176)
The ldap.conf(5) manpage says this about TLS_REQCERT TLS_REQCERT <level> Specifies what checks to perform on server certificates in a TLS session, if any. The <level> can be specified as one of the following keywords: ...
try The server certificate is requested. If no certificate is provided, the session proceeds normally. If a bad certificate is provided, the session is immediately terminated.
demand | hard These keywords are equivalent. The server certificate is requested. If no certificate is provided, or a bad certificate is provided, the session is immediately terminated. This is the default setting.
In testing, I can find no difference in behavior between the 'try' and 'hard' keywords. For the ldap* tools, both 'try' and 'hard' seem to place the same requirements on the server. What does "if no certificate is provided" *mean* in terms of server and/or client configuration?