I've found that the ldapsearch tool can bind only anonymously over SSL. For example, if I include the binddn and password as params command line ldapsearch, the connection fails with this error:
check_for_refs: new result: msgid 1, res_errno 49, res_error <80090308: LdapErr: DSID-0C090290, comment: AcceptSecurityContext error, data 525, v893>, res_matched <> The operation succeeds without the password (or also the binddn); this is true whether or not I have a client cert. The same non-SSL operation fails if no password, or the incorrect password, is given. When I make a connection over SSL with a client app, on NT, the bind fails the same as with ldapsearch; but on Solaris, the password makes no difference; that is, the bind succeeds whether it is missing, correct, or incorrect. Is this normal operation or a bug? Also, ldapssl_clientauth_init() fails if "cert7.db" is part of the cert path (this has been noted on the list previously).
