Hello, I am running openldap 2.4.41 and I've failed to setup client certificate validation. TLS works well until olcTLSVerifyClient is set to demand. Then I see
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) at client side. And connection_read(11): TLS accept failure error=-1 id=1021, closing at the serveri side. So, I've configured /etc/openldap/ldap.conf as the following to provide client TLS certificate paths: TLS_CACERT /path/to/myroot.pem TLS_CACERTDIR /var/lib/ca-certificates/pem/ TLS_CERT /path/to/my.crt TLS_KEY /path/to/my.key However, when I run openssl s_server -Verify 0 -accept 636 ... I see the following: ERROR 140680155473552:error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate:s3_srvr.c:3309: shutting down SSL CONNECTION CLOSED ACCEPT So, this means that ldapsearch doesn't sent out its client certificate. I've also checked with strace tool that it even doesn't access certificate file. So, I am little stuck here. I understand that I am doing something wrong, but I cannot figure out what.