LDAP requires a Distinguished Name (DN) to bind a connection. Libgda also accepts a user name which is not a DN; in this case it will first connect anonymously to the server, search for the DN corresponding to the user name, and then bind again using the found DN. The search is done on the "uid" attribute matching the username, and the object class being "inetOrgPerson" (the LDAP filter is "(&(uid=?)(objectclass=inetOrgPerson))" where the question mark is replaced by the username).
The TLS_REQCERT and TLS_CACERT options are taken into account by the LDAP provider, and passed to the OpenLDAP library which is actually used. These options are global and set by the first opened LDAP connection (i.e. all other LDAP connections share the same settings, regardless of their TLS_REQCERT and TLS_CACERT options).
The TLS_REQCERT and TLS_CACERT options have a higher priority compared to the
options set in the $HOME/.ldaprc
.
If the server certificate can't he checked (i.e. the certification chain established and verified) when it is required that it be, then the connection will not he established and the returned error will be "Can't contact LDAP server".