Arkady Shoyhet writes:
openldap-2.3.41/clients/tools/*.c spring to mind...
It's basically this code in common.c (which is linked together with each of the ldap*.c files):
rc = ldap_initialize( &ld, ldapuri ); if( rc != LDAP_SUCCESS ) { fprintf( stderr, "Could not create LDAP session handle for URI=%s (%d): %s\n", ldapuri, rc, ldap_err2string(rc) ); exit( EXIT_FAILURE ); } and protocol = LDAP_VERSION3; ... if( ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, &protocol ) != LDAP_OPT_SUCCESS ) { fprintf( stderr, "Could not set LDAP_OPT_PROTOCOL_VERSION %d\n", protocol ); exit( EXIT_FAILURE ); }
if ( use_tls ) { rc = ldap_start_tls_s( ld, NULL, NULL ); if ( rc != LDAP_SUCCESS ) { tool_perror( "ldap_start_tls", rc, NULL, NULL, NULL, NULL ); if ( use_tls > 1 ) { exit( EXIT_FAILURE ); } } }
Set use_tls > 1, since it's a bad idea to continue after StartTLS fails. ldapuri is something like "ldap://hostname/" where the hostname is the server's fully qualified hostname (same name as occurs in CN or Subject Alt Name in the server certificate).
You need to tell the client the server's CA certifiate, see TLS_CACERT in man ldap.conf. Also man ldap_start_tls_s.
Or if you use an "ldaps:" instead of "ldap:" URL, and the server listens to "ldaps:" (probably in addition to "ldap:"), then the connection starts out in TLS (alias SSL) mode and you should not call ldap_start_tls_s().
openldap-software@openldap.org