Steve Finkelstein writes:
[root@bar cacerts]# ldapsearch -x -h "ldap.domain.com" -p 636 -v
You are trying to use the LDAP protocol against the LDAPS port, which expects the TLS protocol. That does not work.
The clients do not deduce the protocol from the port number. They deduce the _default_ port number (which you can override) from the protocol.
There are two ways to use TLS:
1. ldapsearch -x -ZZ -h "ldap.domain.com" ...
This uses the LDAP protocol (on port 389), and -ZZ tells the client to use the StartTLS LDAP. This switches to the TLS protocol and then resumes LDAP "inside" that protocol.
2. ldapsearch -x -H "ldaps://ldap.domain.com/" ...
This uses the LDAPS protocol (on port 636). This port listens for TLS as if StartTLS had already been done.
BTW, don't combine -ZZ and ldaps://. You can't start TLS when TLS is already started.