You should better ask OpenLDAP questions on the openldap-technical mailing list:
http://www.openldap.org/lists/ Ciao, Michael. Robbie Mingfu Zhang wrote: > Hi: > > If I set the "TLSVerifyClient demand" on openldap server side, then I'll got > below error > > (set TLSVerifyClient as never/allow/try, I can login, but will have > authentication failure in LDAP log) > > LS trace: SSL3 alert write:fatal:handshake failure > TLS trace: SSL_accept:error in SSLv3 read client certificate B > TLS trace: SSL_accept:error in SSLv3 read client certificate B > TLS: can't accept: error:140890C7:SSL > routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate. > 527b9a89 connection_read(16): TLS accept failure error=-1 id=1028, closing > 527b9a89 connection_close: conn=1028 sd=16 > > Server config: > TLSCipherSuite HIGH:MEDIUM:+SSLv2:+SSLv3 > TLSCACertificateFile /opt/etc/openldap/cert/CA.crt > TLSCertificateFile /opt/etc/openldap/cert/ldap1.test.com.crt > TLSCertificateKeyFile /opt/etc/openldap/cert/ldap1.test.com.key > TLSVerifyClient demand > > Client config: > uri ldaps://ldap1.test.com:636 > bind_policy soft > ldap_version 3 > base dc=test,dc=com
smime.p7s
Description: S/MIME Cryptographic Signature