OpenLDAP with ssl client certs

[Brent Bice <bbice@sgi.com>]

   I was recently asked if we could use ssl client certs as a 2nd form 
of authentication with OpenLDAP and didn't know for sure.  Is it 
possible to have OpenLDAP require both a DN/password pair *and* a client 
ssl cert?

   Just to see if I could make any form of client cert authentication 
work, I took a test-bed instance of OpenLDAP and added this line to 
slapd.conf:
TLSVerifyClient allow

   Then I created a self-signed ssl cert, converted it to a .der binary 
file, then added it to an LDAP record's userCertificate attribute with this:

dn: <my-dn>
changetype: modify
add: userCertificate;binary
userCertificate;binary:< file:///tmp/ldapclient.bin

   Then I found my ldap client of choice doesn't seem to have an option 
to authenticate via client certs, and didn't see any command line 
options for ldapsearch for specifying a client ssl cert/key pair.  So I 
edited ~/.ldaprc and added:

BINDDN <my-dn>
TLS_REQCERT demand
TLS_CERT /tmp/ldapclient.crt
TLS_KEY /tmp/ldapclient.key

   But when I run ldapsearch -x with no -D and -W options, it's clearly 
still just binding anonymously. When I run ldapsearch -x with a -D and 
no -W option it says I can't bind without a password. :-)  So... I'm 
clearly missing something here.

   How do I get ldapsearch to try to authenticate with the SSL cert? 
Or is it possibly trying but failing because slapd can't validate the 
self-signed client cert I made?  It's definitely finding and using my 
.ldaprc file because I can change BASE, PORT, and HOST settings in there 
and don't have to specify 'em on the command line afterwards, but as 
near as I can tell it's not using the client cert.

Brent