On Thu, 11 May 2023, Christopher Paul wrote:
-----Original Message----- From: terry.lemons@dell.com terry.lemons@dell.com Sent: Thursday, May 11, 2023 1:10 PM To: openldap-technical@openldap.org Subject: Re: Debugging TLS negotiation failure
I'm using a self-signed server certificate, so no CA should be involved.
As Jeffery Walton observed, self-signed means the server's cert *IS* the CA you need.
Not sure if that is causing the problem?
Try prepending to your ldapsearch:
"LDAPTLS_REQCERT=allow ldapsearch ..."
To be clear, that setting disables the client's authentication of the server: no protection from active attacks, back to "trust the network layer". This is only useful for confirming that everything _except_ the CA/cert setup are fine.
Philip Guenther