--On Sunday, March 25, 2018 5:29 PM +0530 GOKUL G <g.gokul1991(a)gmail.com>
We are able to integrate openLDAP with our application and achieve LDAP
or LDAP/TLS requirement separately.
Since, the support for TLS in openLDAP is macro controlled (HAVE_TLS), at
compile time itself its decided whether LDAP or LDAPs . And we are not
able to take this decision at run-time.
If we compile openLDAP software with HAVE_TLS and use it for normal
ldapsearch, this ldap command is seen in trace as ldap message over SSL
without any encryption. But not as normal LDAP message.
You appear to be misunderstanding something if you believe you require two
different library builds. Clearly all of the existing C based clients can
do plaintext (ldap) with a library where TLS support is enabled (note: NOT
I would also note there is much more to TLS encryption with LDAP than
There are two methods of doing TLS encryption. One uses the RFC STARTTLS
method, the other uses a TLS dedicated port (defaults to 443) using the
non-RFC ldaps URI.
So, an LDAP client can connect in the following methods:
a) plain text (ldap:/// or ldapi:///)
b) issuing a startTLS operation (ldap:/// or ldapi:///)
c) dedicated TLS port (ldaps:///)
I would note that it is entirely possible, with a well written application,
to support all of the above with the OpenLDAP C API compiled with HAVE_TLS.
If you are unable to do this, you're misusing the API and/or do not
understand the API. Generally, your client simply needs to know:
Should the connection be encrypted?
Use ldap:/// without the startTLS control
Do they want to use ldaps or startTLS?
startTLS -> Use ldap with the startTLS control
Packaged, certified, and supported LDAP solutions powered by OpenLDAP: