Full_Name: Quanah Gibson-Mount Version: 2.4.30 OS: Linux 2.6 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (75.108.184.39)

From the manual page:

olcTLSVerifyClient: <level> Specifies what checks to perform on client certificates in an incoming TLS session, if any. The <level> can be specified as one of the following keywords:

never This is the default. slapd will not ask the client for a certificate.

allow The client certificate is requested. If no certificate is provided, the session proceeds normally. If a bad certificate is provided, it will be ignored and the ses- sion proceeds normally.

try The client certificate is requested. If no certificate is provided, the session proceeds normally. If a bad certificate is provided, the session is immediately ter- minated.

demand | hard | true These keywords are all equivalent, for compatibility rea- sons. The client certificate is requested. If no cer- tificate is provided, or a bad certificate is provided, the session is immediately terminated.

Note that a valid client certificate is required in order to use the SASL EXTERNAL authentication mechanism with a TLS session. As such, a non-default olcTLSVerifyClient setting must be chosen to enable SASL EXTERNAL authenti- cation.

However, the code has:

static slap_verbmasks vfykeys[] = { { BER_BVC("never"), LDAP_OPT_X_TLS_NEVER }, { BER_BVC("demand"), LDAP_OPT_X_TLS_DEMAND }, { BER_BVC("try"), LDAP_OPT_X_TLS_TRY }, { BER_BVC("hard"), LDAP_OPT_X_TLS_HARD }, { BER_BVNULL, 0 } };

Which means:

a) allow is missing b) true is missing c) demand and hard set different flags. Not sure if that means any difference functionality wise, but according to the manual page, demand/true/hard are supposed to be the same behavior.