Greetings.

Should I be able to discover the (default) locations of SSL certificates, via the libldap library?

This can be useful when debugging why cert checks are failing -- where is the library checking? (am I using the library I think I am...?!) Of course dtruss and co can help here.

ldap_get_option with LDAP_OPT_X_TLS_CACERTDIR (and friends) looks like it should say this, but when I explore that, it appears to show only settings added with ldap_set_option, thus only settings overriding a default. And this appears to be confirmed in libraries/libldap/tls_o.c:tlso_ctx_init. That function hands over to SSL functions, and while in principle I could retrieve a TLS session context with LDAP_OPT_X_TLS_{,SSL_}CTX, there are clear warnings that I shouldn't be tinkering with this. The fact that I'm this deep in the code suggests that either (a) this is not supported, or (b) I'm looking in the wrong place.

I could in principle use functions from the OpenSSL library, like X509_get_default_cert_dir_env(), but that requires me to know which SSL library the libldap library was linked against (and that it was indeed OpenSSL), which has its own complications. Also, if I'm confident I know that, I have other ways to confirm the cert directory.

Best wishes,

Norman