7.5. Command-Line Functions for Start TLS

LDAP client tools such as ldapmodify, ldapsearch, and ldapdelete can use TLS/SSL when communicating with an SSL-enabled server or to use certificate authentication. Command-line options also specify or enforce Start TLS, which which allows a secure connection to be enabled on a clear text port after a session has been initiated.


For Start TLS to work, the environment variables for the SSL/TLS databases must be configured. This is described in Section A.2, “Using SSL/TLS and Start TLS with LDAP Client Tools”.
In the following example, a network administrator enforces Start TLS for a search for Mike Connor's identification number:
ldapsearch -ZZ -D "cn=directory manager" -w secret -p 389 -h server.example.com -x -b "uid=mconnors,ou=people,dc=example,dc=com" "(attribute=govIdNumber)"
-ZZ enforces Start TLS.


The -ZZ option enforces the use of Start TLS, and the server must respond that a Start TLS command was successful. If the -ZZ command is used and the server does not support Start TLS, the operation is aborted immediately.
With the -Z option, the following errors could occur:
With the -ZZ option, the following errors could occur, causing the Start TLS operation to fail:
For SDK libraries used in client programs, if a session is already in TLS mode and Start TLS is requested, then the connection continues to be in secure mode but prints the error "DSA is unwilling to perform".