In slapd.conf, which keyword instructs slapd to not ask the client for a certificate?

The correct keyword in the slapd.conf configuration for instructing slapd not to ask the client for a certificate is "never." This keyword effectively tells the LDAP server to forgo the usual request for client certificates during the SSL/TLS handshake process.

Using "never" means that the server will accept unauthenticated connections, which can be crucial in situations where either the client does not possess a valid certificate or when the requirement for mutual authentication is not necessary. This flexibility allows for configurations that support a broader set of clients or to simplify testing scenarios.

This setting is particularly important when deciding how strict or lenient the server should be regarding client authentication, impacting the overall security model employed by the server. Clients connecting to the server under this configuration will not be prompted for their certificates, hence streamlining the connection process under certain conditions.

While other options may suggest different forms of certificate handling, "never" specifically aligns with the requirement of avoiding a certificate request from the client, making it the appropriate choice for this scenario.