In testing a suggestion from Howard, it appears that OpenLDAP code is broken for IP based certs (where the IP: <addr> is in subject Alternative Name), as it does a hostname lookup prior to validating the cert. This is trivially demonstrable using a cert with: X509v3 Subject Alternative Name: DNS:localhost, IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1 Attempting to connect via ldapsearch to ldap://127.0.0.1 and initiate startTLS will fail, as the IP gets mapped to "localhost", and then the FQDN check fails. But this would imply any attempt to use the IP: values in subject Alternative Name will be a problem, since "name_in" is translated. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>