On 03/13/2012 12:03 PM, Peter Wood wrote:
Yes, it is.
Can you provide the exact command line you are using to test the server connection? Note that if the client is using regular LDAP and not LDAPS nor LDAP+startTLS, the olcTLSVerifyClient: demand setting does nothing.
If you are trying to make the client always use SASL/EXTERNAL auth with a valid client cert, you must first force the server to reject any non-TLS/SSL connection using the sasl-secprops minssf setting.