I setup openldap-2.4.23 server on centos6.2 using cn=config. The server itself doesn't authenticate through ldap. Network clients are able to authenticate but the network traffic is unencrypted.

Next step is to configure SSL/TLS. I was reading multiple sources of documentation, trying to understand what I'm doing not just follow instructions. I created a CA, generated certificate for the server and setup these in cn=config:

olcTLSCACertificateFile: /etc/openldap/cacerts/CA.crt
olcTLSCertificateFile: /etc/pki/tls/certs/ldapserver.crt
olcTLSCertificateKeyFile: /etc/pki/tls/private/ldapserver-nopass.key
olcTLSVerifyClient: demand

I was expecting that after slapd restart clients will not being able to authenticate but they still can and the traffic is still unencrypted. On the server if I run tcpdump I can clearly see usernames and passwords.

Service slapd is running as user ldap and I made sure the user has read access to all cert files and private keys. I enabled logging level "olcLogLevel: stats" but I don't see any errors in the log file.

Shouldn't "olcTLSVerifyClient: demand" drop the connection if the client doesn't provide valid certificate?

Thank you for any pointers.