Hello all,
why does slapd require a peer/client certificate? I'm slapd 2.3.30 on
debian (package 2.3.30-5 to be precise).
when connexting with ssl to slapd using
ldapsearch -H ldaps://artemis.t310.org -b dc=t310,dc=org -x
I get the following error from slapd (started with -d 8):
TLS: can't accept.
TLS: error:140890C7:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a
certificate s3_srvr.c:2455
When connecting to the same host but with the ldap protocol (vs
ldaps) the search results correctly.
This error seems like somehow slapd wants to get a client certficate,
but I did not set slapd up that way. The ldap.conf on the client
machines only contains the CA certificate field:
TLS_CACERT /usr/share/ca-certificates/t310/t310_pem.crt
relevant parts from slapd.conf (included in total at the end of
message):
TLSCertificateFile /etc/ldap/artemis-ldap-cert.pem
TLSCertificateKeyFile /etc/ldap/artemis-ldap-key.pem
TLSCACerticateFile /usr/share/ca-certificates/t310/t310_pem.crt
#TLSVerifyClient never
#TLSCRLCheck none