+++ This bug was initially created as a clone of Bug #693470 +++ Description of problem: When using openldap-clients (e.g. ldapsearch) with -Z option and start_tls fails (due to, for instance, invalid TLS_CACERT), the communication does not proceed and they fail with non-zero exit status. According to documentation, -Z option means that TLS will be preferred for communication, but not required. In other words, if for some reason TLS cannot be negotiated, then client will try continue with unsecured communication. Version-Release number of selected component (if applicable): openldap-2.3.43-12.el5_6.7 How reproducible: Always. Steps to Reproduce: 1. Setup server to use TLS. 2. LDAPTLS_CACERT=/ca/cert/does/not/exist ldapsearch -Z Actual results: dap_start_tls: Connect error (-11) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed ldap_result: Can't contact LDAP server (-1) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Expected results: Success. Additional info: * see RHTS test for more details (configuration, etc.)
See bug #693470 and #644119. It was discussed with upstream. If something is configured wrong, it's quite clear that it will not work and the behavior is undefined. Upstream does not want to put any particular effort into this. It might be resolved later in RHEL-6, but not in RHEL-5. That is the reason why I'm closing this bug as DEFERRED.