> Likely. You can examine their root DSE to see if the Start
> TLS request
> OID is listed in supportedExtension.
No, it's not listed. :-(
> >The LDAPS is what I really wanted to do anyway.
> Unfortunately, the -h option to ldapsearch is for host names
> only, not for URLs (this arg is passed unmodified to
> ldap_init(), which wants a hostname).
>
> Well, that's the way I thought it was suppose to work (I don't use
> ldaps:// myself). Report it as a bug using the Issue Tracking System
> (http://www.openldap.org/its/).
>
> Kurt
I think it is more of a feature request then a bug. All other implementations of ldapsearch (cmd line tool) that I have looked at don't support the URL method.
FYI, I was able to make LDAPS work with gamma to an iPlanet server with the following modifications (i.e., hacks):
1) Set tls_opt_cacertfile (global defined in libldap:tls.c line 40) to my CA's certificate (which happens to be my own private CA).
2) Force LDAPS scheme at the beginning of ldap_start_tls_s() (in libldap:open.c line 254) as follows:
ld->ld_options.ldo_defludp->lud_scheme = LDAP_STRDUP( "ldaps" );
3) Fix an appearent bug: At line 262 in libldap:open.c change
if (ldap_pvt_tls_inplace(lc->lconn_sb) != 0)
to
if (ldap_pvt_tls_inplace(lc->lconn_sb) == 0)
4) Disable the remainder of the for loop at lines 265-277 in libldap:open.c. These issue the StartTLS extended operation which iPlanet doesn't support.
Thanks for the help,
Art