Environment
NetIQ eDirectory 9.0
Situation
The ldapsearch utility that shipped with eDirectory in prior versions required the "-e" parameter to specify the certificate used to establish a secure LDAP connection with the server.
Example: /opt/novell/eDirectory/bin/ldapsearch -D CN=admin,o=novell -w novell -h 192.168.1.10 -p 636 -e /var/opt/novell/eDirectory/data/SSCert.der cn=admin cn
In eDirectory 9.0 the following error is returned: Invalid general control name: /var/opt/novell/eDirectory/data/SSCert.der.
Example: /opt/novell/eDirectory/bin/ldapsearch -D CN=admin,o=novell -w novell -h 192.168.1.10 -p 636 -e /var/opt/novell/eDirectory/data/SSCert.der cn=admin cn
In eDirectory 9.0 the following error is returned: Invalid general control name: /var/opt/novell/eDirectory/data/SSCert.der.
Resolution
NetIQ eDirectory has moved from the old LDAP C SDK to the latest OpenLDAP based SDK with a separate extended library. As such the OpenLDAP version of ldapsearch no longer accepts the "-e" parameter to specify a certificate to be used for a secure connection. It is used for indicating client controls\extensions such as Proxy Authentication.
Options can be prefixed to OpenLDAP's ldapsearch make environment variables. By using the LDAPTLS_CACERT= parameter the location and name of the certificate can be specified. Using a LDAP URL negates the need for the "-h" and "-p" parameters.
Example: LDAPTLS_CACERT=/var/opt/novell/eDirectory/data/SSCert.pem ldapsearch -H ldaps://192.168.1.10:636 -D cn=admin,o=novell -w novell -b o=emg cn=admin
Options can be prefixed to OpenLDAP's ldapsearch make environment variables. By using the LDAPTLS_CACERT= parameter the location and name of the certificate can be specified. Using a LDAP URL negates the need for the "-h" and "-p" parameters.
Example: LDAPTLS_CACERT=/var/opt/novell/eDirectory/data/SSCert.pem ldapsearch -H ldaps://192.168.1.10:636 -D cn=admin,o=novell -w novell -b o=emg cn=admin