Howard,

I use OpenSuse 10.2 with  libldap-2.3.so.0.2.15 and if  I have an empty
~/.ldaprc file ldap_start_tls_s comes back with error -11 Connect error

ldap_int_select
read1msg: ld 0x8054608 msgid 1 all 1
read1msg: ld 0x8054608 msgid 1 message type extended-result
read1msg: ld 0x8054608 0 new referrals
read1msg:  mark request completed, ld 0x8054608 msgid 1
request done: ld 0x8054608 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_free_connection 0 1
ldap_free_connection: refcnt 1
ldap_parse_extended_result
ldap_parse_result
ldap_msgfree
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 0, err: 20, subject:
/CN=w2k3.windows2003.home, issuer: /DC=home/DC=windows2003/CN=Windows2003CA
TLS certificate verification: Error, unable to get local issuer certificate
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect.
ldap_err2string
Error while setting start_tls for ldap server: Connect error(-11)
ldap_free_connection 1 1
ldap_send_unbind

When I add  tls_reqcert allow to ~/.ldaprc I get

ldap_int_select
read1msg: ld 0x8054608 msgid 1 all 1
read1msg: ld 0x8054608 msgid 1 message type extended-result
read1msg: ld 0x8054608 0 new referrals
read1msg:  mark request completed, ld 0x8054608 msgid 1
request done: ld 0x8054608 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_free_connection 0 1
ldap_free_connection: refcnt 1
ldap_parse_extended_result
ldap_parse_result
ldap_msgfree
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 0, err: 20, subject:
/CN=w2k3.windows2003.home, issuer: /DC=home/DC=windows2003/CN=Windows2003CA
TLS certificate verification: Error, unable to get local issuer certificate
TLS certificate verification: depth: 0, err: 27, subject:
/CN=w2k3.windows2003.home, issuer: /DC=home/DC=windows2003/CN=Windows2003CA
TLS certificate verification: Error, certificate not trusted
TLS certificate verification: depth: 0, err: 21, subject:
/CN=w2k3.windows2003.home, issuer: /DC=home/DC=windows2003/CN=Windows2003CA
TLS certificate verification: Error, unable to verify the first certificate
TLS trace: SSL_connect:SSLv3 read server certificate A
TLS trace: SSL_connect:SSLv3 read server certificate request A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client certificate A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
TLS trace: SSL_connect:SSLv3 flush data
TLS trace: SSL_connect:SSLv3 read finished A
TLS trace: SSL3 alert write:warning:bad certificate
TLS: unable to get peer certificate.
Successfully set up TLS protected connection to ldap server
w2k3.windows2003.home:389


So, this setting definitely does something !!

Regards
Markus

----- Original Message -----
From: "Howard Chu" <hyc@symas.com>
Newsgroups: gmane.network.openldap.general
To: "Markus Moeller" <huaraz@moeller.plus.com>
Cc: <openldap-software@openldap.org>
Sent: Tuesday, June 19, 2007 12:33 AM
Subject: Re: Question about ldap_init, ldap_initialize,
start_tls,LDAP_OPT_X_TLS_ALLOW and TLS/SSL


> Markus Moeller wrote:
>> But it is allowed to be set in ldap.conf,
>
> That doesn't necessarily mean anything. Lots of things can be set in
> ldap.conf that don't mean anything at all, since the parser ignores any
> keywords it doesn't recognize.
>
> What evidence do you have that this particular setting actually does
> anything? A quick scan of the source code proves that it actually does
> nothing.
>
>> so why can't or shouldn't I be able to set it in my client without the
>> pain of checking all the different config files ldap.conf, .ldaprc,
>> ldaprc ... I'd like to be able to control my client options without the
>> use of config files.
>
> Go ahead and do that then. But don't waste time with options that don't
> actually have any meaning.
>>
>> Regards
>> Markus
>>
>> ----- Original Message -----
>> From: "Howard Chu" <hyc@symas.com>
>> To: "Markus Moeller" <huaraz@moeller.plus.com>
>> Cc: <openldap-software@openldap.org>
>> Sent: Tuesday, June 19, 2007 12:01 AM
>> Subject: Re: Question about ldap_init, ldap_initialize, start_tls,
>> LDAP_OPT_X_TLS_ALLOW and TLS/SSL
>>
>>
>>> Markus Moeller wrote:
>>>> Does anybody have some sample code of how to use  LDAP_OPT_X_TLS_ALLOW
>>>> in a client program with ldap_start_tls_s ?
>>>>  Is it a bug if it doesn't work ?
>>> The LDAP_OPT_X_TLS option is incompatible with ldap_start_tls. You
>>> cannot use both together. In general, the LDAP_OPT_X_TLS option is
>>> deprecated and should not be used at all.
>
> --
>   -- Howard Chu
>   Chief Architect, Symas Corp.  http://www.symas.com
>   Director, Highland Sun        http://highlandsun.com/hyc/
>   Chief Architect, OpenLDAP     http://www.openldap.org/project/
>