eDirectory 9.0's ldapsearch no longer accepts the -e switch to specify certificate

  • 7017233
  • 06-Feb-2016
  • 06-Feb-2016


NetIQ eDirectory 9.0


The ldapsearch utility that shipped with eDirectory in prior versions required the "-e" parameter to specify the certificate used to establish a secure LDAP connection with the server.
Example: /opt/novell/eDirectory/bin/ldapsearch -D CN=admin,o=novell -w novell -h -p 636 -e /var/opt/novell/eDirectory/data/SSCert.der cn=admin cn

In eDirectory 9.0 the following error is returned: Invalid general control name: /var/opt/novell/eDirectory/data/SSCert.der.


NetIQ eDirectory has moved from the old LDAP C SDK to the latest OpenLDAP based SDK with a separate extended library.  As such the OpenLDAP version of ldapsearch no longer accepts the "-e" parameter to specify a certificate to be used for a secure connection.  It is used for indicating client controls\extensions such as Proxy Authentication.

Options can be prefixed to OpenLDAP's ldapsearch make environment variables.  By using the LDAPTLS_CACERT= parameter the location and name of the certificate can be specified.  Using a LDAP URL negates the need for the "-h" and "-p" parameters.

Example: LDAPTLS_CACERT=/var/opt/novell/eDirectory/data/SSCert.pem ldapsearch -H ldaps:// -D cn=admin,o=novell -w novell -b o=emg cn=admin