On Tue, 19 Jun 2007, Markus Moeller wrote:
thank you very much for the detailed answer. If I remember right the return code from ldap_start_tls was -11 which translates to "can't connect to server" and wasn't very specific if it was a missing cert or if I connected to an SSL only port (.e.g. 636) but I will confirm.
You can usually get more info about an error using char *errmsg = NULL; ldap_get_option(ld, LDAP_OPT_ERROR_STRING, &errmsg);
If errmsg is not NULL after that, then it's additional text about the error. That wouldn't have helped with your ldap_start_tls_s() cert checking issues however, as the cert checking routine doesn't set that for errors involving CA checking. It *might* have given more info when you tried to use start_tls when the server was expecting ldaps.
Philip Guenther