libnss-ldap and slapd (was: TLS configuration needs client certification (why?))

On Aug 15, 2007, at 9:00 AM, Frank Cornelissen wrote:

Hello all,

why does slapd require a peer/client certificate? I'm slapd 2.3.30 on debian (package 2.3.30-5 to be precise).

when connexting with ssl to slapd using

    ldapsearch -H ldaps://artemis.t310.org -b dc=t310,dc=org -x

I get the following error from slapd (started with -d 8):

    TLS: can't accept.
    TLS: error:140890C7:SSL  

routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate s3_srvr.c:2455

<snip>

After some debugging, this seems to be caused by the fact that on this machine libnss-ldap is enabled. This library will be loaded and will set some libldap options which seem to be global and thus interfering with the options from slapd. Anybody got an idea how to solve this, apart from setting up a seperate machine for openldap|?

Thanks in advance,

Frank Cornelissen