I wrote:

...

In OpenSSL, SSL_get_peer_certificate().

..after getting the SSL* arg with ldap_get_option LDAP_OPT_X_TLS_SSL_CTX. Which the manpage recommends not doing. At least don't meddle with the SSL* more than you have to.

I presume Michael's case is one of the few in which the client would pay enough attention to details when using such an option.

Whether a case like this deserves an OpenLDAP API is questionable, since it is not an LDAP-specific issue, but rather a general SSL wrapping issue. OTOH, as long as clever client design often needs it, I would not object to adding such feature.

p.