rlm_ldap cannot successfully establish TLS connections with an OpenLDAP server. This is because the TLS connection attributes are not set when the OpenLDAP client library tries to make a connection. The failing connection causes the radius server to fail to initialize and it immediately exits.

The problem is related to use of LDAP_OPT_X_TLS_NEWCTX to establish a per connection TLS context. Apparently LDAP_OPT_X_TLS_NEWCTX has to be called *after* calling ldap_set_option() to set the TLS attributes, if it's called prior to setting the attributes (as is the current code) then the TLS attributes are not copied into the new TLS context.

Not sure, but this might only be a problem for the MozNSS module as opposed to the OpenSSL module (OpenLDAP can be built with different crypto implementations). Currently Red Hat is the only distribution that deploys OpenLDAP with MozNSS which might explain why this problem was not seen upstream. I want to investigate further on this.

Moving LDAP_OPT_X_TLS_NEWCTX to after setting the TLS attributes fixes the connection failures.

During debugging it was also discovered that the way rlm_ldap sets the LDAP debug flag is also incorrect. The debug flag needs to be set on the global context, not the per connection context. As currently implemented one cannot get the ldap library to emit debug information, this also needs fixing.