Full_Name: mathew murphy Version: 2.4.40 OS: CentOS 7 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (2605:6000:ee08:3200:56ee:75ff:fe4a:3f67)

% ldapsearch --help [...] -Z Start TLS request (-ZZ to require successful response) % ldapsearch -x -Z -h localhost -p 636 -b 'dc=mydc' '(objectclass=*)' ldap_start_tls: Can't contact LDAP server (-1) ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

However:

% ldapsearch -x -H ldaps://localhost:636 -b 'dc=mydc' '(objectclass=*)' [lots of data]

So -Z isn't needed if you use -H ldaps://..., and doesn't work if you don't.

I realize that the FAQ mentions in passing that you need to use -H, but it's really well hidden compared to the bad advice given by ldapsearch --help.