I was recently asked if we could use ssl client certs as a 2nd form
of authentication with OpenLDAP and didn't know for sure. Is it
possible to have OpenLDAP require both a DN/password pair *and* a client
Just to see if I could make any form of client cert authentication
work, I took a test-bed instance of OpenLDAP and added this line to
Then I created a self-signed ssl cert, converted it to a .der binary
file, then added it to an LDAP record's userCertificate attribute with this:
Then I found my ldap client of choice doesn't seem to have an option
to authenticate via client certs, and didn't see any command line
options for ldapsearch for specifying a client ssl cert/key pair. So I
edited ~/.ldaprc and added:
But when I run ldapsearch -x with no -D and -W options, it's clearly
still just binding anonymously. When I run ldapsearch -x with a -D and
no -W option it says I can't bind without a password. :-) So... I'm
clearly missing something here.
How do I get ldapsearch to try to authenticate with the SSL cert?
Or is it possibly trying but failing because slapd can't validate the
self-signed client cert I made? It's definitely finding and using my
.ldaprc file because I can change BASE, PORT, and HOST settings in there
and don't have to specify 'em on the command line afterwards, but as
near as I can tell it's not using the client cert.