pam_ldap: ldap_set_option(LDAP_OPT_X_TLS) Unknown error

["David Vu" <David.Vu@aarnet.edu.au>]

Hi,

A recent upgrade of OpenLDAP 2.0.21 from 2.0.11 appears to break
pam_ldap authentication with this error in the system log:

Feb  4 13:41:49 breton sshd[1090]: pam_ldap:
ldap_set_option(LDAP_OPT_X_TLS) Unknown error

This of course breaks pam_ldap authentication and the system
then refuses any user with a posixAccount to log in my Red Hat
box.  Strangely, other aspects of NSS and LDAP work fine
including: getent passwd, group, shadow, ldapsearch -H
ldaps://<hostname> and ldapsearch -ZZ.

There is nothing in the ldap log that indicates any problem for
any of these operations.  Only pam_ldap fails with the above
error, without any other indication in the system or ldap log
files.

I couldn't find any relevant articles about this in the mail
list archives or faq.

I use nss_ldap-149-4 with SSL (not TLS), with the following
/etc/ldap.conf

  host breton.catfish.net.au:636
  base dc=catfish,dc=net,dc=au
  scope one
  pam_filter objectclass=posixAccount
  pam_login_attribute uid
  pam_member_attribute uniquemember
  pam_password md5

  nss_base_passwd ou=People,dc=catfish,dc=net,dc=au?one
  nss_base_shadow ou=People,dc=catfish,dc=net,dc=au?one
  nss_base_group ou=Group,dc=catfish,dc=net,dc=au?one
  ssl yes
  sslpath /usr/share/ssl/certs

Note all this works fine with openldap-2.0.11, it only breaks
with 2.0.21.  My /etc/openldap/slapd.conf remains the unchanged
after the upgrade.
Disabling SSL enables the authentication to work, as does
enabling the 'start_tls' option.

Has anyone seen this broken behaviour?  I am happy to use
start_tls but am just curious to see what causes this with
openldap-2.0.21?

Thanks for any pointers,

David.