diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index dd7de7c3a4..1977a575e7 100644
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -2292,6 +2292,27 @@ CheckBSDAuth(Port *port, char *user)
 #ifdef USE_LDAP
 
 /*
+ * Return a palloc'd copy of the current LDAP diagnostic message, or NULL if
+ * there is none.
+ */
+static char *
+GetLDAPDiagnosticMessage(LDAP *ldap)
+{
+	char	   *result = NULL;
+	char	   *message;
+	int			rc;
+
+	rc = ldap_get_option(ldap, LDAP_OPT_DIAGNOSTIC_MESSAGE, &message);
+	if (rc == LDAP_SUCCESS && message != NULL)
+	{
+		result = pstrdup(message);
+		ldap_memfree(message);
+	}
+
+	return result;
+}
+
+/*
  * Initialize a connection to the LDAP server, including setting up
  * TLS if requested.
  */
@@ -2317,9 +2338,14 @@ InitializeLDAPConnection(Port *port, LDAP **ldap)
 
 	if ((r = ldap_set_option(*ldap, LDAP_OPT_PROTOCOL_VERSION, &ldapversion)) != LDAP_SUCCESS)
 	{
+		char	   *message = GetLDAPDiagnosticMessage(*ldap);
+
 		ldap_unbind(*ldap);
 		ereport(LOG,
-				(errmsg("could not set LDAP protocol version: %s", ldap_err2string(r))));
+				(errmsg("could not set LDAP protocol version: %s", ldap_err2string(r)),
+				 message ? errdetail("Diagnostic message: %s", message) : 0));
+		if (message)
+			pfree(message);
 		return STATUS_ERROR;
 	}
 
@@ -2370,9 +2396,14 @@ InitializeLDAPConnection(Port *port, LDAP **ldap)
 		if ((r = _ldap_start_tls_sA(*ldap, NULL, NULL, NULL, NULL)) != LDAP_SUCCESS)
 #endif
 		{
+			char	   *message = GetLDAPDiagnosticMessage(*ldap);
+
 			ldap_unbind(*ldap);
 			ereport(LOG,
-					(errmsg("could not start LDAP TLS session: %s", ldap_err2string(r))));
+					(errmsg("could not start LDAP TLS session: %s", ldap_err2string(r)),
+					 message ? errdetail("Diagnostic message: %s", message) : 0));
+			if (message)
+				pfree(message);
 			return STATUS_ERROR;
 		}
 	}
@@ -2461,9 +2492,15 @@ CheckLDAPAuth(Port *port)
 							   port->hba->ldapbindpasswd ? port->hba->ldapbindpasswd : "");
 		if (r != LDAP_SUCCESS)
 		{
+			char	   *message = GetLDAPDiagnosticMessage(ldap);
+
+			ldap_unbind(ldap);
 			ereport(LOG,
 					(errmsg("could not perform initial LDAP bind for ldapbinddn \"%s\" on server \"%s\": %s",
-							port->hba->ldapbinddn, port->hba->ldapserver, ldap_err2string(r))));
+							port->hba->ldapbinddn, port->hba->ldapserver, ldap_err2string(r)),
+					 message ? errdetail("Diagnostic message: %s", message) : 0));
+			if (message)
+				pfree(message);
 			return STATUS_ERROR;
 		}
 
@@ -2485,9 +2522,15 @@ CheckLDAPAuth(Port *port)
 
 		if (r != LDAP_SUCCESS)
 		{
+			char	   *message = GetLDAPDiagnosticMessage(ldap);
+
+			ldap_unbind(ldap);
 			ereport(LOG,
 					(errmsg("could not search LDAP for filter \"%s\" on server \"%s\": %s",
-							filter, port->hba->ldapserver, ldap_err2string(r))));
+							filter, port->hba->ldapserver, ldap_err2string(r)),
+					 message ? errdetail("Diagnostic message: %s", message) : 0));
+			if (message)
+				pfree(message);
 			pfree(filter);
 			return STATUS_ERROR;
 		}
@@ -2517,12 +2560,17 @@ CheckLDAPAuth(Port *port)
 		dn = ldap_get_dn(ldap, entry);
 		if (dn == NULL)
 		{
+			char	   *message = GetLDAPDiagnosticMessage(ldap);
 			int			error;
 
 			(void) ldap_get_option(ldap, LDAP_OPT_ERROR_NUMBER, &error);
+			ldap_unbind(ldap);
 			ereport(LOG,
 					(errmsg("could not get dn for the first entry matching \"%s\" on server \"%s\": %s",
-							filter, port->hba->ldapserver, ldap_err2string(error))));
+							filter, port->hba->ldapserver, ldap_err2string(error)),
+					 message ? errdetail("Diagnostic message: %s", message) : 0));
+			if (message)
+				pfree(message);
 			pfree(filter);
 			ldap_msgfree(search_message);
 			return STATUS_ERROR;
@@ -2539,10 +2587,9 @@ CheckLDAPAuth(Port *port)
 		{
 			int			error;
 
-			(void) ldap_get_option(ldap, LDAP_OPT_ERROR_NUMBER, &error);
 			ereport(LOG,
-					(errmsg("could not unbind after searching for user \"%s\" on server \"%s\": %s",
-							fulluser, port->hba->ldapserver, ldap_err2string(error))));
+					(errmsg("could not unbind after searching for user \"%s\" on server \"%s\"",
+							fulluser, port->hba->ldapserver)));
 			pfree(fulluser);
 			return STATUS_ERROR;
 		}
@@ -2566,17 +2613,23 @@ CheckLDAPAuth(Port *port)
 							port->hba->ldapsuffix ? port->hba->ldapsuffix : "");
 
 	r = ldap_simple_bind_s(ldap, fulluser, passwd);
-	ldap_unbind(ldap);
 
 	if (r != LDAP_SUCCESS)
 	{
+		char	   *message = GetLDAPDiagnosticMessage(ldap);
+
+		ldap_unbind(ldap);
 		ereport(LOG,
 				(errmsg("LDAP login failed for user \"%s\" on server \"%s\": %s",
-						fulluser, port->hba->ldapserver, ldap_err2string(r))));
+						fulluser, port->hba->ldapserver, ldap_err2string(r)),
+				 message ? errdetail("Diagnostic message: %s", message) : 0));
+		if (message)
+			pfree(message);
 		pfree(fulluser);
 		return STATUS_ERROR;
 	}
 
+	ldap_unbind(ldap);
 	pfree(fulluser);
 
 	return STATUS_OK;