Re: Using tls_cert/key without rootbinddn

Iain was kind enought to reply offline. I'll put his comments here.

> Note that sending a client-cert with TLS does *not perform* an LDAP Bind.

> > Q1. Do we know what purpose it serves, then ? Why bother specifying client cert, and key, in the file /etc/ldap.conf ?  

Requiring clients to offer a cert signed by a specific trusted CA wouldprovide a means of
disallowing 'foreign' hosts from usefully being ableto access and LDAPS server.

> > Aside: If I've understood correctly the password (bindpw secret) in the file /etc/ldap.conf is only supported in clear text :-(

That is correct.

> < and pointing me in the direction of SASL/EXTERNAL.
> > I also misunderstood ! Can you please elaborate on the use of SASL/EXTERNAL ? For example, what options
> did you use in /etc/ldap.conf to enable SASL/EXTERNAL?

Due to other constraints, SASL/EXTERNAL was not pursued.