It would be a nice feature if ldapsearch (and friends) supported LDAPS via command line option to specify URIs. I also had trouble connecting to iPlanet, since it didn't support the StartTLS extended operation.
I was able to make LDAPS work with gamma to an iPlanet server with the following modifications (i.e., hacks):
1) Set tls_opt_cacertfile (global defined in libldap:tls.c line 40) to my CA's certificate (which happens to be my own private CA).
2) Force LDAPS scheme at the beginning of ldap_start_tls_s() (in libldap:open.c line 254) as follows:
ld->ld_options.ldo_defludp->lud_scheme = LDAP_STRDUP( "ldaps" );
3) Fix an appearent bug (have already reported to its):
At line 262 in libldap:open.c change
if (ldap_pvt_tls_inplace(lc->lconn_sb) != 0)
if (ldap_pvt_tls_inplace(lc->lconn_sb) == 0)
4) Disable the remainder of the for loop at lines 265-277 in libldap:open.c. These issue the StartTLS extended operation which iPlanet doesn't support.
Here is my client setup:
- Solaris 2.7
- Openldap 2.0 gamma
- OpenSSL 0.9.5
- Cyrus SASL 1.5.24
- Sun Workshop compilers 4.2.1
- Search command: ldapsearch -x -h iplanethost -p 636 -s base -b "" -ZZ
- NOTE: if you omit "-p 636" you can crash the iPlanet server!!! ;-)
Here is my server setup:
- Win2000 Advanced Server
- iPlanet 4.1 Directory Server
- Windows Certificate Services
Vitria Technology, Inc.
"Understanding is a three-edged sword."