JoyDeep, If I understand the slapd manpage, TLSVERIVYCLIENT demand requires the the client have a valid certificate for authentication to the server. Have you configured ldap.conf with client certificate information?
This is not to be confused with the 'TLS_REQCERT demand' directive in the ldap.conf which can direct the client to require the server certificate to be valid
\Greg
JOYDEEP wrote:
dear list,
I have no problem to execute the command
ldapsearch -H ldaps:// -u "uid=anupam" -x
here is my TLS part of slapd.conf
TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCertificateFile /etc/openldap/myca/servercert.pem TLSCertificateKeyFile /etc/openldap/myca/serverkey.pem TLSCACertificateFile /etc/openldap/myca/cacert.pem TLSVerifyClient never
Now when I change the [TLSVerifyClient never] to [TLSVerifyClient demand] and try to execute the same command * ldapsearch -H ldaps:// -u "uid=anupam" -x * it gives errors like
ldap_bind: Can't contact LDAP server (-1) additional info: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
Could any one suggest the problem I have here and the solution please ?