Is there a bug in starting TLS/SSL from clients? I can make it work with a code change in libldap, but can't figure out how to make it work otherwise.
Here are the details:
I'm using OpenLDAP 2.0 gamma on Solaris 2.7 built with "--with-tls" and OpenSSL 0.9.5. I have an iPlanet LDAP server on Win2k with a cert installed. I can ldapsearch it with SSL from the iPlanet client with no problems. I can ldapsearch it from openldap without SSL. When I try to ldapsearch it from openldap with SSL, the TLS never starts.
Here is my search string:
ldapsearch -d 255 -x -w secret -v -h iplanethost -p 636 -s base -b "" -ZZ "(objectclass=*)"
In libldap:open.c:ldap_int_open_connection(), TLS never starts because ldap_pvt_tls_start() (line 363) is never called. To be called, either the "ldo_tls_mode" must be "LDAP_OPT_X_TLS_HARD" or the "lud_scheme" must be "ldaps". However, neither of these conditions are true.
If I add a line to the beginning of ldap_start_tls_s() that sets ld->ld_options.ldo_defludp->lud_scheme to "ldaps", then TLS starts fine.
Am I missing a flag to ldapsearch or a config option to OpenSSL? Or is this a bug?