https://bugs.openldap.org/show_bug.cgi?id=10065
--- Comment #24 from sean@teletech.com.au --- (In reply to Ondřej Kuzník from comment #23)
Why do you need the same certificate for someone's inbound traffic and the one they use to identify themselves to OpenLDAP (client certificate)?
Not some-one, some-thing. My client certs are regular machine certs. Actual account authentication is done with passwords (stored in the LDAP database). The public CA certs are for machines that commodity user agents connect to. They are public CA certs so I don't have to install the private root CA all over the place. So the machines have a certificate to identify themselves with, just sitting there, why not use it to authenticate with LDAP.
I don't _need_ to use the same certs in both directions but if I have to choose between running a proxy and running a private CA, I'll run the proxy.
BTW we should move this part of the discussion to -technical.
How? I'm not on any mailing list.