MicrosoftI have a MS AD server configured for LDAPS. I want to know where on the server can I play around with the client certificate authentication settings. Right now the server is configured to ignore any client cert validation error, or even when no cert is presented by a client to the AD server over LDAPS. The connection goes on without fail. I want to enforce something corresponding to this in OPENLDAP.
12.2.1.8. TLSVerifyClient { never | allow | try | demand }
This directive specifies what checks to perform on client certificates in an incoming TLS session, if any. This option is set to never by default, in which case the server never asks the client for a certificate. With a setting of allow the server will ask for a client certificate; if none is provided the session proceeds normally. If a certificate is provided but the server is unable to verify it, the certificate is ignored and the session proceeds normally, as if no certificate had been provided. With a setting of try the certificate is requested, and if none is provided, the session proceeds normally. If a certificate is provided and it cannot be verified, the session is immediately terminated. With a setting of demand the certificate is requested and a valid certificate must be provided, otherwise the session is immediately terminated.
