This might sound like an eDirectory question but it's not.

I came across an unusual problem. If the eDirectory LDAP server "Client
Certificate" setting is set to "Requested", which enables X509
certificate logins but does not require it, then I can't login with any
of the Identity Applications in IDM 4.5.

I can login with username/password using a standalone LDAP browser just
fine, for example Apache Directory Studio or ldapsearch in

../ldapsearch -h -p 636 -D cn=admin,o=system -e
/var/opt/novell/eDirectory/data/SSCert.der -v -b ou=Devices,o=Meta -W

But when I try to login with UA for example I see this in ndstrace:

3403712256 LDAP: [2015/04/27 12:34:53.53] New TLS connection 0xe964000
from, monitor = 0xc3fe6700, index = 19
3288229632 LDAP: [2015/04/27 12:34:53.55] Monitor 0xc3fe6700 initiating
TLS handshake on connection 0xe964000
3287176960 LDAP: [2015/04/27 12:34:53.55] DoTLSHandshake on connection
3287176960 LDAP: [2015/04/27 12:34:53.59] TLS accept failure 1 on
connection 0xe964000, setting err = -5875. Error stack:
error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no
certificate returned
3287176960 LDAP: [2015/04/27 12:34:53.59] TLS handshake failed on
connection 0xe964000, err = -5875
3287176960 LDAP: [2015/04/27 12:34:53.59] BIO ctrl called with unknown cmd 7
3287176960 LDAP: [2015/04/27 12:34:53.59] Server closing connection
0xe964000, socket error = -5875
3287176960 LDAP: [2015/04/27 12:34:53.59] Connection 0xe964000 closed

Is this by design or am I missing a setting somewhere in configupdate?

The reason I'm asking is because I have an application that uses a
client certificate to login to eDirectory (SASL EXTERNAL bind) and I
would like to use the same eDirectory instance for both the "Identity
Applications" and for this application.

I could set up a new eDirectory instance just for that application but I
would rather not do that if I can get the Identity Applications to work.