[Date Prev][Date Next] [Chronological] [Thread] [Top]

ldap_start_tls_s failing, yet perror is SUCCESS.

To preface the problem, I CAN use ldapsearch to search, with the -ZZ option,
and get valid searches for the same set of parameters as I am using in the
following code. So, server, and configuration are all setup right.

Now, the problem is that ldap_start_tls_s(), when called with an initialized
LDAP * and two NULL's, returns (!LDAP_SUCCESS). I then call ldap_perror() on
the LDAP *, and it says SUCCESS. Not much use to figure out why the call
failed. Interestingly enough, I have the same problem in doing
ldap_set_option() on *_TLS_CACERTFILE. The code is small, so it's here. And
since this works in the client/tools/* (ldapsearch), I don't seem to
understand why it doesn't work in my code. OpenLDAP 2.1.22. Is there a
secret call used to actually get useful information?

Also, when I don't have the CACERTFILE set correctly (in ldap.con,
TLS_CACERT), and run an ldapsearch, reports intelligent information.
However, all I can get is, SUCCESS.

    LDAP * ld = ldap_init(server.c_str(), port);
    if( ld == NULL ) {
        perror("ldap_init FAILED");
        return -1;

    int protocol = LDAP_VERSION3;
    if( ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, &protocol )
        != LDAP_OPT_SUCCESS )
        cerr << "Could not set LDAP_OPT_PROTOCOL_VERSION" << endl;
        return -1;

    // ALSO, I have tried setting the CACERTFILE, but either way, it fails
    char * certfile = "/path/to/cacert";
    if( ldap_set_option( ld, LDAP_OPT_X_TLS_CACERTFILE, certfile)
        != LDAP_OPT_SUCCESS )
		// bail

    if( (ldap_start_tls_s( ld, NULL, NULL ) != LDAP_SUCCESS )) {
        ldap_perror(ld, "start_tls() failed");
        return -1;

Any thoughts?