On Tue, 19 Jun 2007, Markus Moeller wrote:
thank you very much for the detailed answer. If I remember right the return
code from ldap_start_tls was -11 which translates to "can't connect to
server" and wasn't very specific if it was a missing cert or if I connected
to an SSL only port (.e.g. 636) but I will confirm.
You can usually get more info about an error using
char *errmsg = NULL;
ldap_get_option(ld, LDAP_OPT_ERROR_STRING, &errmsg);
If errmsg is not NULL after that, then it's additional text about the
error. That wouldn't have helped with your ldap_start_tls_s() cert
checking issues however, as the cert checking routine doesn't set that for
errors involving CA checking. It *might* have given more info when you
tried to use start_tls when the server was expecting ldaps.
Philip Guenther
