Control: tag -1 + moreinfo unreproducible Jean-Christophe, are you still interested in figuring this out? If so you need to provide more information. You also don't say what else you have tried to investigate this.
I tried reproducing your observed behaviour, but it doesn't manifest here unless I put "TLS_REQCERT allow" into my normal user's ~/.ldaprc file (which is not a bug, but a misconfiguration). "ldap_sasl_bind_s(): Can't contact LDAP server" is really just a generic TLS error which could have a million different causes. Some ideas what could be going on: * The certificates may have been generated with outdated TLS parameters or the server is running outdated configuration options. I recall that during the move to buster OpenSSL changed its default settings for what versions of TLS it still allows (TLS_CIPHER_SUITE, TLS_PROTOCOL_MIN). Give us the output of: openssl s_client -debug -connect server2.mydomain.com:636 -verify 255 </dev/null Altering the server config to always use at least TLSv1.2 might already help. Regenerating the server certificates is worth a try, too. * You run "ldapsearch" under the effective user id of "jc", but "sudo" runs under the effective user id of "root". If you have a file ~jc/.ldaprc with different TLS settings this could explain why the "ldapsearch" command succeeds, but "sudo -l" fails. What happens if you run "ldapsearch" under a freshly created user? Please run "sudo -l" as root and tell us if the error still occurs. If it does then as root run this command and give us /tmp/sudo-l-strace.gz strace -f -s 2048 sudo -l |& gzip -9c > /tmp/sudo-l-strace.gz Also to turn off any initialization mechanisms run your ldapsearch commands like this: LDAPNOINIT=1 ldapsearch -x -H ... Tell us if this changes anything. Until you can give us something that clearly points to the code of sudo-ldap doing something it shouldn't we have to assume that this is due to a misconfiguration. Regards, Dennis.