> -----Original Message-----
> From: Philip Guenther <pguent...@proofpoint.com>
> Sent: Thursday, May 11, 2023 2:06 PM
> To: Christopher Paul <chris.p...@rexconsulting.net>
> Cc: terry.lem...@dell.com; openldap-technical@openldap.org
> Subject: RE: Debugging TLS negotiation failure
>
> > > Not sure if that is causing the problem?
> >
> > Try prepending to your ldapsearch:
> >
> > "LDAPTLS_REQCERT=allow ldapsearch ..."
>
> To be clear, that setting disables the client's authentication of the
> server: no protection from active attacks, back to "trust the network
> layer". This is only useful for confirming that everything _except_ the
> CA/cert setup are fine.
Yes 100% agree. TLS in production should be used for encryption AND
verification and so in production should use a signed cert and
LDAPTLS_REQCERT=demand.
