Yesterday a new version of the libldap-2.4-2 package was uploaded to Debian unstable and after applying it to my system it broke sudo-ldap. It was no longer able to talk to my LDAP server over TLS encrypted connection. Plain communication without TLS was still possible but I did not want to resign to unencrypted connections for such vital systems.

This is the error sudo-ldap threw:

sudo: ldap_start_tls_s(): Connect error

After a lot of investigation I found a useful option to enable in my /etc/ldap/ldap.conf file in a Bugreport from Roberto C. Sánchez:

sudoers_debug 2

This brought up a lot of configuration parameters when invoking sudo on the shell. One of this parameters was a litte suspicious to me:

sudo: ldap_set_option: tls_cert -> /etc/ssl/certs

It turned out that sudo-ldap honors the sslpath option in /etc/ldap/ldap.conf which is originally part of the Netscape SDK SSL and which was accidentially enabled by myself. After commenting out sslpath everything worked again with sudo-ldap.

The working version of my ldap.conf can be found in my SSO Subversion repository. It is also suitable for use with libpam-ldap, libnss-ldap and all of the ldap-utils.