Round 2 of tools work.

-R now ignored
-C added to chase.  No rebind proc yet, no checking of appropriate authentication.
complain if non-critical TLS was not started.
Fail if requested version is not supported.
ldapdelete:
  deletechildren modified to use ldap_search_ext_s()
  fixed deletechildren dn memory leak
ldapsearch:
  modified to use ldap_search_ext()

clients/tools/ldapdelete.c

@@ -35,11 +35,12 @@ static int	not, verbose, contoper;
 static LDAP	*ld;
 
 static int dodelete LDAP_P((
-    LDAP	*ld,
-    char	*dn));
+    LDAP *ld,
+    const char *dn));
 
-static int deletechildren LDAP_P(( LDAP *ld,
-                                   char *dn ));
+static int deletechildren LDAP_P((
+	LDAP *ld,
+	const char *dn ));
 
 static void
 usage( const char *s )
@@ -51,6 +52,7 @@ usage( const char *s )
 "	    or from the file specified with \"-f file\".\n"
 "options:\n"
 "	-c\t\tcontinuous operation mode (do not stop on errors)\n"
+"	-C\t\tchase referrals\n"
 "	-d level\tset LDAP debugging level to `level'\n"
 "	-D binddn\tbind DN\n"
 "	-E\t\trequest SASL privacy (-EE to make it critical)\n"
@@ -83,14 +85,14 @@ main( int argc, char **argv )
 {
 	char		buf[ 4096 ];
 	FILE		*fp;
-	int		i, rc, authmethod, want_bindpw, version, debug, manageDSAit;
+	int		i, rc, authmethod, referrals, want_bindpw, version, debug, manageDSAit;
 
-    not = verbose = contoper = want_bindpw = debug = manageDSAit = 0;
+    not = verbose = contoper = want_bindpw = debug = manageDSAit = referrals = 0;
     fp = NULL;
     authmethod = LDAP_AUTH_SIMPLE;
 	version = -1;
 
-    while (( i = getopt( argc, argv, "cD:d:Ef:h:IKkMnP:p:rU:vWw:X:Y:Z" )) != EOF ) {
+    while (( i = getopt( argc, argv, "cCD:d:Ef:h:IKMnP:p:rU:vWw:X:Y:Z" )) != EOF ) {
 	switch( i ) {
 	case 'k':	/* kerberos bind */
 #ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
@@ -111,6 +113,9 @@ main( int argc, char **argv )
 	case 'c':	/* continuous operation mode */
 	    ++contoper;
 	    break;
+	case 'C':
+		referrals++;
+		break;
 	case 'h':	/* ldap host */
 	    ldaphost = strdup( optarg );
 	    break;
@@ -290,18 +295,24 @@ main( int argc, char **argv )
 #endif
 
     if (( ld = ldap_init( ldaphost, ldapport )) == NULL ) {
-	perror( "ldap_init" );
-	return( EXIT_FAILURE );
+		perror( "ldap_init" );
+		return( EXIT_FAILURE );
     }
 
 	{
-		/* this seems prudent */
+		/* this seems prudent for searches below */
 		int deref = LDAP_DEREF_NEVER;
 		ldap_set_option( ld, LDAP_OPT_DEREF, &deref );
 	}
 
-	/* don't chase referrals */
-	ldap_set_option( ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF );
+	/* chase referrals */
+	if( ldap_set_option( ld, LDAP_OPT_REFERRALS,
+		referrals ? LDAP_OPT_ON : LDAP_OPT_OFF ) != LDAP_OPT_SUCCESS )
+	{
+		fprintf( stderr, "Could not set LDAP_OPT_REFERRALS %s\n",
+			referrals ? "on" : "off" );
+		return EXIT_FAILURE;
+	}
 
 	if (version == -1 ) {
 		version = 3;
@@ -312,13 +323,15 @@ main( int argc, char **argv )
 	{
 		fprintf( stderr, "Could not set LDAP_OPT_PROTOCOL_VERSION %d\n",
 			version );
+		return EXIT_FAILURE;
 	}
 
 	if ( use_tls && ldap_start_tls_s( ld, NULL, NULL ) != LDAP_SUCCESS ) {
 		if ( use_tls > 1 ) {
 			ldap_perror( ld, "ldap_start_tls" );
-			return( EXIT_FAILURE );
+			return EXIT_FAILURE;
 		}
+		fprintf( stderr, "WARNING: could not start TLS\n" );
 	}
 
 	if (want_bindpw) {
@@ -390,7 +403,8 @@ main( int argc, char **argv )
 		err = ldap_set_option( ld, LDAP_OPT_SERVER_CONTROLS, &ctrls );
 
 		if( err != LDAP_OPT_SUCCESS ) {
-			fprintf( stderr, "Could not set Manage DSA IT Control\n" );
+			fprintf( stderr, "Could not set ManageDSAit %scontrol\n",
+				c.ldctl_iscritical ? "critical " : "" );
 			if( c.ldctl_iscritical ) {
 				exit( EXIT_FAILURE );
 			}
@@ -419,83 +433,105 @@ main( int argc, char **argv )
 
 static int dodelete(
     LDAP	*ld,
-    char	*dn)
+    const char	*dn)
 {
-    int	rc;
+	int	rc;
 
-    if ( verbose ) {
-	printf( "%sdeleting entry \"%s\"\n",
-		(not ? "!" : ""), dn );
-    }
-    if ( not ) {
-	rc = LDAP_SUCCESS;
-    } else {
-		/* If prune is on, remove a whole subtree.  Delete the children of the
-		 * DN recursively, then the DN requested.
-		 */
-		if ( prune ) deletechildren( ld, dn );
-		if (( rc = ldap_delete_s( ld, dn )) != LDAP_SUCCESS ) {
-			ldap_perror( ld, "ldap_delete" );
-	} else if ( verbose ) {
-	    printf( "\tremoved\n" );
+	if ( verbose ) {
+		printf( "%sdeleting entry \"%s\"\n",
+			(not ? "!" : ""), dn );
 	}
-    }
 
-    return( rc );
+	if ( not ) {
+		return LDAP_SUCCESS;
+	}
+
+	/* If prune is on, remove a whole subtree.  Delete the children of the
+	 * DN recursively, then the DN requested.
+	 */
+	if ( prune ) deletechildren( ld, dn );
+
+	rc = ldap_delete_s( ld, dn );
+	if ( rc != LDAP_SUCCESS ) {
+		ldap_perror( ld, "ldap_delete" );
+	}
+
+	if ( verbose ) {
+		printf( "\tremoved\n" );
+	}
+
+	return rc;
 }
 
 /*
  * Delete all the children of an entry recursively until leaf nodes are reached.
  *
  */
-static int deletechildren( LDAP *ld,
-                           char *dn )
+static int deletechildren(
+	LDAP *ld,
+	const char *dn )
 {
-    LDAPMessage *res, *e;
-    int entries;
-    int rc;
-	int timeout = 30 * 10000;
-
-    ldap_set_option( ld, LDAP_OPT_TIMEOUT, &timeout );
-    if ( verbose ) printf ( "deleting children of: %s\n", dn );
-    /*
-     * Do a one level search at dn for children.  For each, delete its children.
-     */
-    if ( ldap_search_s( ld, dn, LDAP_SCOPE_ONELEVEL, NULL, NULL, 0, &res ) == -1 )
-    {
-        ldap_perror( ld, "ldap_search" );
-		ldap_get_option( ld, LDAP_OPT_ERROR_NUMBER, &rc );
-        return( rc );
-    }
+	LDAPMessage *res, *e;
+	int entries;
+	int rc;
+	static char *attrs[] = { "1.1", NULL };
+
+	if ( verbose ) printf ( "deleting children of: %s\n", dn );
+	/*
+	 * Do a one level search at dn for children.  For each, delete its children.
+	 */
+
+	rc = ldap_search_ext_s( ld, dn, LDAP_SCOPE_ONELEVEL, NULL, attrs, 1,
+		NULL, NULL, NULL, -1, &res );
+	if ( rc != LDAP_SUCCESS ) {
+		ldap_perror( ld, "ldap_search" );
+		return( rc );
+	}
 
-    entries = ldap_count_entries( ld, res );
-    if ( entries > 0 )
-    {
-        int i;
-
-        for (e = ldap_first_entry( ld, res ), i = 0; e != NULL;
-             e = ldap_next_entry( ld, e ), i++ )
-        {
-            if ( (rc = deletechildren( ld, ldap_get_dn( ld, e) )) == -1 )
-            {
-                ldap_perror( ld, "ldap_prune" );
-                return rc;
-            }
-            if ( verbose )
-            {
-                printf( "\tremoving %s\n", ldap_get_dn( ld, e ) );
-            }
-            if ( ( rc = ldap_delete_s( ld, ldap_get_dn( ld, e ) ) ) == -1 )
-            {
-                ldap_perror( ld, "ldap_delete" );
-                return rc;
-            }
-            else if ( verbose )
-            {
-                printf( "\t%s removed\n", ldap_get_dn( ld, e ) );
-            }
-        }
-    }
-    ldap_msgfree( res );
-    return rc;
+	entries = ldap_count_entries( ld, res );
+
+	if ( entries > 0 ) {
+		int i;
+
+		for (e = ldap_first_entry( ld, res ), i = 0; e != NULL;
+			e = ldap_next_entry( ld, e ), i++ )
+		{
+			char *dn = ldap_get_dn( ld, e );
+
+			if( dn == NULL ) {
+				ldap_perror( ld, "ldap_prune" );
+				ldap_get_option( ld, LDAP_OPT_ERROR_NUMBER, &rc );
+				ber_memfree( dn );
+				return rc;
+			}
+
+			rc = deletechildren( ld, dn );
+			if ( rc == -1 ) {
+				ldap_perror( ld, "ldap_prune" );
+				ber_memfree( dn );
+				return rc;
+			}
+
+			if ( verbose ) {
+				printf( "\tremoving %s\n", dn );
+			}
+
+			rc = ldap_delete_s( ld, dn );
+			if ( rc == -1 ) {
+				ldap_perror( ld, "ldap_delete" );
+				ber_memfree( dn );
+				return rc;
+
+			}
+			
+			if ( verbose ) {
+				printf( "\t%s removed\n", dn );
+			}
+
+			ber_memfree( dn );
+		}
+	}
+
+	ldap_msgfree( res );
+	return rc;
 }

clients/tools/ldapmodify.c

@@ -91,6 +91,7 @@ usage( const char *prog )
 "	-a\t\tadd values (default%s)\n"
 "	-b\t\tread values from files (for binary attributes)\n"
 "	-c\t\tcontinuous operation\n"
+"	-C\t\tchase referrals\n"
 "	-d level\tset LDAP debugging level to `level'\n"
 "	-D dn\t\tbind DN\n"
 "	-E\t\trequest SASL privacy (-EE to make it critical)\n"
@@ -121,7 +122,7 @@ main( int argc, char **argv )
 {
     char		*infile, *rbuf, *start;
     FILE		*fp;
-	int		rc, i, authmethod, version, want_bindpw, debug, manageDSAit;
+	int		rc, i, authmethod, version, want_bindpw, debug, manageDSAit, referrals;
 	int count;
 
     if (( prog = strrchr( argv[ 0 ], *LDAP_DIRSEP )) == NULL ) {
@@ -136,11 +137,11 @@ main( int argc, char **argv )
     ldapadd = ( strcmp( prog, "ldapadd" ) == 0 );
 
     infile = NULL;
-    not = verbose = want_bindpw = debug = manageDSAit = 0;
+    not = verbose = want_bindpw = debug = manageDSAit = referrals = 0;
     authmethod = LDAP_AUTH_SIMPLE;
 	version = -1;
 
-    while (( i = getopt( argc, argv, "acD:d:EFf:h:IKkMnP:p:rtU:vWw:X:Y:Z" )) != EOF ) {
+    while (( i = getopt( argc, argv, "acCD:d:EFf:h:IKkMnP:p:rtU:vWw:X:Y:Z" )) != EOF ) {
 	switch( i ) {
 	case 'a':	/* add */
 	    ldapadd = 1;
@@ -148,6 +149,9 @@ main( int argc, char **argv )
 	case 'c':	/* continuous operation */
 	    contoper = 1;
 	    break;
+	case 'C':
+		referrals++;
+		break;
 	case 'r':	/* default is to replace rather than add values */
 	    replace = 1;
 	    break;
@@ -353,8 +357,15 @@ main( int argc, char **argv )
 	    return( EXIT_FAILURE );
 	}
 
-	/* don't chase referrals */
-	ldap_set_option( ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF );
+	/* referrals */
+	if( ldap_set_option( ld, LDAP_OPT_REFERRALS,
+		referrals ? LDAP_OPT_ON : LDAP_OPT_OFF ) != LDAP_OPT_SUCCESS )
+	{
+		fprintf( stderr, "Could not set LDAP_OPT_REFERRALS %s\n",
+			referrals ? "on" : "off" );
+		return EXIT_FAILURE;
+	}
+
 
 	if (version == -1 ) {
 		version = 3;
@@ -372,6 +383,7 @@ main( int argc, char **argv )
 			ldap_perror( ld, "ldap_start_tls" );
 			return( EXIT_FAILURE );
 		}
+		fprintf( stderr, "WARNING: could not start TLS\n" );
 	}
 
 	if (want_bindpw) {
@@ -447,7 +459,8 @@ main( int argc, char **argv )
 		err = ldap_set_option( ld, LDAP_OPT_SERVER_CONTROLS, &ctrls );
 
 		if( err != LDAP_OPT_SUCCESS ) {
-			fprintf( stderr, "Could not set Manage DSA IT Control\n" );
+			fprintf( stderr, "Could not set ManageDSAit %scontrol\n",
+				c.ldctl_iscritical ? "critical " : "" );
 			if( c.ldctl_iscritical ) {
 				exit( EXIT_FAILURE );
 			}

clients/tools/ldapmodrdn.c

@@ -63,6 +63,7 @@ usage( const char *s )
 "		from the file specified by \"-f file\" (see man page).\n"
 "options:\n"
 "	-c\t\tcontinuous operation mode (do not stop on errors)\n"
+"	-C\t\tchase referrals\n"
 "	-d level\tset LDAP debugging level to `level'\n"
 "	-D binddn\tbind DN\n"
 "	-E\t\trequest SASL privacy (-EE to make it critical)\n"
@@ -96,16 +97,18 @@ main(int argc, char **argv)
     char		*myname,*infile, *entrydn = NULL, *rdn = NULL, buf[ 4096 ];
     FILE		*fp;
 	int		rc, i, remove, havedn, authmethod, version, want_bindpw, debug, manageDSAit;
+	int		referrals;
     char	*newSuperior=NULL;
 
     infile = NULL;
-    not = contoper = verbose = remove = want_bindpw = debug = manageDSAit = 0;
+    not = contoper = verbose = remove = want_bindpw =
+		debug = manageDSAit = referrals = 0;
     authmethod = LDAP_AUTH_SIMPLE;
 	version = -1;
 
     myname = (myname = strrchr(argv[0], '/')) == NULL ? argv[0] : ++myname;
 
-    while (( i = getopt( argc, argv, "cD:d:Ef:h:IKkMnP:p:rs:U:vWw:X:Y:Z" )) != EOF ) {
+    while (( i = getopt( argc, argv, "cCD:d:Ef:h:IKkMnP:p:rs:U:vWw:X:Y:Z" )) != EOF ) {
 	switch( i ) {
 	case 'k':	/* kerberos bind */
 #ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
@@ -126,6 +129,9 @@ main(int argc, char **argv)
 	case 'c':	/* continuous operation mode */
 	    ++contoper;
 	    break;
+	case 'C':
+		referrals++;
+		break;
 	case 'h':	/* ldap host */
 	    ldaphost = strdup( optarg );
 	    break;
@@ -341,8 +347,14 @@ main(int argc, char **argv)
 	return( EXIT_FAILURE );
     }
 
-	/* don't chase referrals */
-	ldap_set_option( ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF );
+	/* referrals */
+	if( ldap_set_option( ld, LDAP_OPT_REFERRALS,
+		referrals ? LDAP_OPT_ON : LDAP_OPT_OFF ) != LDAP_OPT_SUCCESS )
+	{
+		fprintf( stderr, "Could not set LDAP_OPT_REFERRALS %s\n",
+			referrals ? "on" : "off" );
+		return EXIT_FAILURE;
+	}
 
 	if (version == -1 ) {
 		version = 3;
@@ -360,6 +372,7 @@ main(int argc, char **argv)
 			ldap_perror( ld, "ldap_start_tls" );
 			return( EXIT_FAILURE );
 		}
+		fprintf( stderr, "WARNING: could not start TLS\n" );
 	}
 
 	if (want_bindpw) {
@@ -431,7 +444,8 @@ main(int argc, char **argv)
 		err = ldap_set_option( ld, LDAP_OPT_SERVER_CONTROLS, &ctrls );
 
 		if( err != LDAP_OPT_SUCCESS ) {
-			fprintf( stderr, "Could not set Manage DSA IT Control\n" );
+			fprintf( stderr, "Could not set ManageDSAit %scontrol\n",
+				c.ldctl_iscritical ? "critical " : "" );
 			if( c.ldctl_iscritical ) {
 				exit( EXIT_FAILURE );
 			}

clients/tools/ldappasswd.c

@@ -34,6 +34,7 @@ usage(const char *s)
 "	-a secret\told password\n"
 "	-A\t\tprompt for old password\n"
 "	-d level\tdebugging level\n"
+"	-C\t\tchase referrals\n"
 "	-D binddn\tbind DN\n"
 "	-E\t\trequest SASL privacy (-EE to make it critical)\n"
 "	-h host\t\tLDAP server (default: localhost)\n"
@@ -86,6 +87,7 @@ main( int argc, char *argv[] )
 	int		sasl_privacy = 0;
 #endif
 	int		use_tls = 0;
+	int		referrals = 0;
 	LDAP	       *ld;
 	struct berval *bv = NULL;
 
@@ -96,7 +98,7 @@ main( int argc, char *argv[] )
 		usage (argv[0]);
 
 	while( (i = getopt( argc, argv,
-		"Aa:D:d:EIh:np:Ss:U:vWw:X:Y:Z" )) != EOF )
+		"Aa:CD:d:EIh:np:Ss:U:vWw:X:Y:Z" )) != EOF )
 	{
 		switch (i) {
 		case 'A':	/* prompt for oldr password */
@@ -113,6 +115,9 @@ main( int argc, char *argv[] )
 				}
 			}
 			break;
+		case 'C':
+			referrals++;
+			break;
 		case 'D':	/* bind distinguished name */
 			binddn = strdup (optarg);
 			break;
@@ -139,7 +144,6 @@ main( int argc, char *argv[] )
 
 		case 's':	/* new password (secret) */
 			newpw = strdup (optarg);
-
 			{
 				char* p;
 
@@ -307,8 +311,14 @@ main( int argc, char *argv[] )
 		return EXIT_FAILURE;
 	}
 
-	/* don't chase referrals */
-	ldap_set_option( ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF );
+	/* referrals */
+	if (ldap_set_option( ld, LDAP_OPT_REFERRALS,
+		referrals ? LDAP_OPT_ON : LDAP_OPT_OFF ) != LDAP_OPT_SUCCESS )
+	{
+		fprintf( stderr, "Could not set LDAP_OPT_REFERRALS %s\n",
+			referrals ? "on" : "off" );
+		return EXIT_FAILURE;
+	}
 
 	/* LDAPv3 only */
 	version = 3;
@@ -323,6 +333,7 @@ main( int argc, char *argv[] )
 			ldap_perror( ld, "ldap_start_tls" );
 			return( EXIT_FAILURE );
 		}
+		fprintf( stderr, "WARNING: could not start TLS\n" );
 	}
 
 	if ( authmethod == LDAP_AUTH_SASL ) {

clients/tools/ldapsearch.c

@@ -66,7 +66,6 @@ usage( const char *s )
 "\t-n\t\tshow what would be done but don't actually search\n"
 "\t-p port\t\tport on LDAP server\n"
 "\t-P version\tprocotol version (default: 3)\n"
-"\t-R\t\tdo not automatically follow referrals\n"
 "\t-s scope\tone of base, one, or sub (search scope)\n"
 "\t-S attr\t\tsort the results by attribute `attr'\n"
 "\t-t\t\twrite binary values to files in temporary directory\n"
@@ -123,10 +122,14 @@ static int dosearch LDAP_P((
 	LDAP	*ld,
 	char	*base,
 	int		scope,
+	char	*filtpatt,
+	char	*value,
 	char	**attrs,
 	int		attrsonly,
-	char	*filtpatt,
-	char	*value));
+	LDAPControl **sctrls,
+	LDAPControl **cctrls,
+	struct timeval *timelimit,
+	int	sizelimit ));
 
 static char *tmpdir = NULL;
 static char *urlpre = NULL;
@@ -158,19 +161,16 @@ main( int argc, char **argv )
 	LDAP		*ld;
 
 	infile = NULL;
-	debug = verbose = not = vals2tmp =
+	debug = verbose = not = vals2tmp = referrals =
 		attrsonly = manageDSAit = ldif = want_bindpw = 0;
 
 	deref = sizelimit = timelimit = version = -1;
 
-	/* default should be off */
-	referrals = 1;
-
 	scope = LDAP_SCOPE_SUBTREE;
 	authmethod = LDAP_AUTH_SIMPLE;
 
 	while (( i = getopt( argc, argv,
-		"Aa:b:D:d:Ef:h:IKkLl:MnP:p:RS:s:T:tU:uV:vWw:X:Y:Zz:")) != EOF )
+		"Aa:b:CD:d:Ef:h:IKkLl:MnP:p:RS:s:T:tU:uV:vWw:X:Y:Zz:")) != EOF )
 	{
 	switch( i ) {
 	case 'n':	/* do nothing */
@@ -209,8 +209,10 @@ main( int argc, char **argv )
 		/* enable Manage DSA IT */
 		manageDSAit++;
 		break;
-	case 'R':	/* don't automatically chase referrals */
-		referrals = 0;
+	case 'C':
+		referrals++;
+		break;
+	case 'R':	/* ignore */
 		break;
 	case 'A':	/* retrieve attribute names only -- no values */
 		++attrsonly;
@@ -471,30 +473,35 @@ main( int argc, char **argv )
 
 	if (( ld = ldap_init( ldaphost, ldapport )) == NULL ) {
 		perror( "ldap_init" );
-		return( EXIT_FAILURE );
+		return EXIT_FAILURE;
 	}
 
 	if (deref != -1 &&
 		ldap_set_option( ld, LDAP_OPT_DEREF, (void *) &deref ) != LDAP_OPT_SUCCESS )
 	{
 		fprintf( stderr, "Could not set LDAP_OPT_DEREF %d\n", deref );
+		return EXIT_FAILURE;
 	}
 	if (timelimit != -1 &&
 		ldap_set_option( ld, LDAP_OPT_TIMELIMIT, (void *) &timelimit ) != LDAP_OPT_SUCCESS )
 	{
 		fprintf( stderr, "Could not set LDAP_OPT_TIMELIMIT %d\n", timelimit );
+		return EXIT_FAILURE;
 	}
 	if (sizelimit != -1 &&
 		ldap_set_option( ld, LDAP_OPT_SIZELIMIT, (void *) &sizelimit ) != LDAP_OPT_SUCCESS )
 	{
 		fprintf( stderr, "Could not set LDAP_OPT_SIZELIMIT %d\n", sizelimit );
+		return EXIT_FAILURE;
 	}
-	if (referrals != -1 &&
-		ldap_set_option( ld, LDAP_OPT_REFERRALS,
-				 (referrals ? LDAP_OPT_ON : LDAP_OPT_OFF) ) != LDAP_OPT_SUCCESS )
+
+	/* referrals */
+	if (ldap_set_option( ld, LDAP_OPT_REFERRALS,
+		referrals ? LDAP_OPT_ON : LDAP_OPT_OFF ) != LDAP_OPT_SUCCESS )
 	{
 		fprintf( stderr, "Could not set LDAP_OPT_REFERRALS %s\n",
 			referrals ? "on" : "off" );
+		return EXIT_FAILURE;
 	}
 
 	if (version == -1 ) {
@@ -506,13 +513,15 @@ main( int argc, char **argv )
 	{
 		fprintf( stderr, "Could not set LDAP_OPT_PROTOCOL_VERSION %d\n",
 			version );
+		return EXIT_FAILURE;
 	}
 
 	if ( use_tls && ldap_start_tls_s( ld, NULL, NULL ) != LDAP_SUCCESS ) {
 		if ( use_tls > 1 ) {
 			ldap_perror( ld, "ldap_start_tls" );
-			return( EXIT_FAILURE );
+			return EXIT_FAILURE;
 		}
+		fprintf( stderr, "WARNING: could not start TLS\n" );
 	}
 
 	if (want_bindpw) {
@@ -583,7 +592,8 @@ main( int argc, char **argv )
 		err = ldap_set_option( ld, LDAP_OPT_SERVER_CONTROLS, &ctrls );
 
 		if( err != LDAP_OPT_SUCCESS ) {
-			fprintf( stderr, "Could not set Manage DSA IT Control\n" );
+			fprintf( stderr, "Could not set ManageDSAit %scontrol\n",
+				c.ldctl_iscritical ? "critical " : "" );
 			if( c.ldctl_iscritical ) {
 				exit( EXIT_FAILURE );
 			}
@@ -631,7 +641,8 @@ main( int argc, char **argv )
 	}
 
 	if ( infile == NULL ) {