On Thu, 11 May 2023, Christopher Paul wrote: > > -----Original Message----- > > From: terry.lem...@dell.com <terry.lem...@dell.com> > > Sent: Thursday, May 11, 2023 1:10 PM > > To: openldap-technical@openldap.org > > Subject: Re: Debugging TLS negotiation failure > > > > I'm using a self-signed server certificate, so no CA should be > > involved.
As Jeffery Walton observed, self-signed means the server's cert *IS* the CA you need. > > Not sure if that is causing the problem? > > Try prepending to your ldapsearch: > > "LDAPTLS_REQCERT=allow ldapsearch ..." To be clear, that setting disables the client's authentication of the server: no protection from active attacks, back to "trust the network layer". This is only useful for confirming that everything _except_ the CA/cert setup are fine. Philip Guenther
