OK, so the StartTLS method makes a request over the default port (389) to invoke the startTLS extended operation, right? Unfortunately, when I try that I get a "protocol error" from iPlanet. I assume that means iPlanet doesn't support StartTLS. :-(
The LDAPS is what I really wanted to do anyway. Unfortunately, the -h option to ldapsearch is for host names only, not for URLs (this arg is passed unmodified to ldap_init(), which wants a hostname). Is there another way to do this with ldapsearch? I can use "openssl s_client -connect iplanethost:636" and it establishes an SSLv3 connection fine. I would rather find a way for the clients and SDK to work with this than to use a wrapper.
From: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.org]
Sent: Thursday, August 24, 2000 1:36 PM
To: Art Corcoran
Subject: Re: TLS/SSL in OpenLDAP 2.0 gamma clients
At 01:16 PM 8/24/00 -0700, Art Corcoran wrote:
>Here are the details:
>I'm using OpenLDAP 2.0 gamma on Solaris 2.7 built with "--with-tls" and OpenSSL 0.9.5. I have an iPlanet LDAP server on Win2k with a cert installed. I can ldapsearch it with SSL from the iPlanet client with no problems. I can ldapsearch it from openldap without SSL. When I try to ldapsearch it from openldap with SSL, the TLS never starts.
Do not confuse ldaps:// (LDAP over SSL) with LDAPv3's Start TLS.
Start TLS is the Standard Track LDAPv3 mechanism for initiating TLS (RFC2830).
ldaps:// is an vendor extension which is not documented in any RFC.
>Here is my search string:
> ldapsearch -d 255 -x -w secret -v -h iplanethost -p 636 -s base -b "" -ZZ "(objectclass=*)"
ldapsearch -h iplanethost -ZZ -x -s base -b ""
ldapsearch -h ldaps://iplanethost -x -s base -b ""