-
Type:
Bug
-
Status: Done
-
Priority:
Major
-
Resolution: Not a defect
-
Affects Version/s: 2.6.0, 2.4.6
-
Fix Version/s: Not applicable
-
Component/s: core server
-
Labels:None
By default when you install OpenDJ with a self-signed cert and enable StartTLS on the LDAP port, the client auth policy for the LDAP connection handler is set to optional:
optional - Clients are requested to provide their own certificates when performing SSL negotiation, but still accept the connection even if the client does not provide a certificate.
As Chris Ridd found, and then I reproduced, when you set up client certificate authentication as described in CR-1234, the result is LDAP 49.
If you set ssl-client-auth-policy: required for the handler, and try again, the bind is successful.
Oddly enough, if you change the value – I changed it a couple of times – and set it back to optional, then the bind is successful, too. Chris restarted OpenDJ and saw it work, but I saw it work without restarting the server.
The expected behavior would be that it works with ssl-client-auth-policy: optional out of the box.