On Tue, 13 Mar 2012, Peter Wood wrote:
Also I tried all variations of olcTLSVerifyClient: [demand|hard|true] with the same result.
olcTLSVerifyClient: <level> Specifies what checks to perform on client certificates in an incoming TLS session, if any. <...>
Note the "if any" part. That config option says, "If the client negotiates TLS, whether because it's connecting via an ldaps connection or used the StartTLS operation on an ldap connection, then this is the requirements regarding client certificates."
If the client connects via ldap (or ldapi) and doesn't use the StartTLS operation, then the olcTLSVerifyClient setting HAS NO EFFECT.
If you want the server to reject authentication requests that don't use TLS, then you need to look at the olcSecurity setting. To quote the manpage:
olcSecurity: <factors> Specify a set of security strength factors (separated by white space) to require (see olcSaslSecprops's minssf option for a description of security strength factors). The directive may be specified globally and/or per-database. ssf=<n> specifies the overall security strength factor. transport=<n> specifies the transport security strength factor. tls=<n> specifies the TLS security strength factor. sasl=<n> specifies the SASL security strength factor. update_ssf=<n> specifies the overall security strength factor to require for directory updates. update_transport=<n> specifies the transport security strength factor to require for directory updates. update_tls=<n> specifies the TLS security strength factor to require for directory updates. update_sasl=<n> specifies the SASL security strength factor to require for directory updates. simple_bind=<n> specifies the security strength factor required for simple username/password authentication. Note that the transport factor is measure of security provided by the underlying transport, e.g. ldapi:// (and eventually IPSEC). It is not normally used.
Philip Guenther