Hello,
quoting ldap.conf(5):
TLS_REQCERT <level> ... try The server certificate is requested. If no certificate is provided, the session proceeds normally. If a bad certificate is provided, the session is immediately terminated. ...
I'd like to try the "If no certificate is provided" part, but can't manage to do so. I tried configuring the server to 1) not use any CA certificate or server certificate, 2) only use the CA certificate without any server certificate, 3) specify CA certificate dir with no certs in it, 4) specify CA certificate dir with a valid CA cert and no server certs.
In any case, the client (ldapsearch) doesn't even connect to the server, stating either "SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure" or simply failing to connect with "Can't contact LDAP server (-1)". The server is listening on ldap and ldaps. I tested this using both ldaps and StartTLS.
That leads me to a conclusion that what I'm trying to achieve is not achievable and that the manpage should be changed.
Is the manpage wrong or is there any other way I can test the client with no server certificate provided?
Cheers,