it's standard conformance issue....

The spec says that upon StartTLS 'success', both TLS communications is = established on the octet following the Start TLS response (and the = request)... and that once one starts TLS communications, one can never = go back to LDAP without TLS. So if there's a TLS failure (whether as = part of TLS nego or later), LDAP communications cannot be continued = (without TLS).

Only ignoring LDAP errors (rc > 0) ensures that if TLS negotiation = fails, we don't attempt to send LDAP operations without TLS.

-- Kurt=