Dan White dwhite@olp.net wrote:
Try:
TLS_REQCERT: try
In this case, EXTERNAL should only be offered after successful TLS negotiation, or over a unix domain socket.
If TLS negotiation fails, then a SASL bind won't work without selecting another mechanism.
But Idap.conf(5) says "The server certificate is requested. If no certificate is provided, the session proceeds normally. ", which suggests that the TLS negociation may succeed without a server certificate being sent. Is that wrong?