I'm a bit shaky on the client side, maybe someone else has a more
definitive answer.
How about on the client side? That is, how does
a client present certificate to slapd when requested?
You need to set TLS_KEY in your ldap.conf file to the path to your
private key file, and TLS_CERT as well. In any case, this option is
not fully implemented, since the server does not use the identity
from the certificate.
and, how does a client verify server certificate
when presented?
That's not implemented yet. When it is, you'll need to have
TLS_CACERT and TLS_CERT entries in ldap.conf.