-----Original Message----- From: Philip Guenther pguenther@proofpoint.com Sent: Thursday, May 11, 2023 2:06 PM To: Christopher Paul chris.paul@rexconsulting.net Cc: terry.lemons@dell.com; openldap-technical@openldap.org Subject: RE: Debugging TLS negotiation failure
Not sure if that is causing the problem?
Try prepending to your ldapsearch:
"LDAPTLS_REQCERT=allow ldapsearch ..."
To be clear, that setting disables the client's authentication of the server: no protection from active attacks, back to "trust the network layer". This is only useful for confirming that everything _except_ the CA/cert setup are fine.
Yes 100% agree. TLS in production should be used for encryption AND verification and so in production should use a signed cert and LDAPTLS_REQCERT=demand.