LDAPS - where to start from?

[little-nemo at virgilio.it]

> > rlm_ldap (ldap): Connecting to ldaps://dc1.testuni.it:636
> > rlm_ldap (ldap): Bind with CN=reader-freeradius,OU=ServiceUsers,OU=ServicePeople,DC=testuni,DC=it to ldaps://dc1.testuni.it:636 failed: Can't contact LDAP server
> 
>   This error is "can't contact", not "LDAP server rejected the authentication".
> 
>   Something is blocking the network connection between FreeRADIUS and the LDAP server.  Find out what that is, and fix it.

The LDAP server receives TCP and TLS1.2 exchange packets with the freeradius server.
The last packet label, from the LDAP server is :
..."636 → 44698 [RST, ACK] Seq=2280 Ack=726 Win=0 Len=0"

I can't see a network or firewall problem.

> 
> > I tried to bind, manually, using the general command:
> > ldapsearch -D ${identity} -w ${password} -H ${server} -b 'CN=user,${base_dn}'
> > and it worked.
> 
>   Does it use the same port?
ldapsearch uses the 636 port, rlm_ldap reports using the 636 port
They both exchange packets with the LDAP server on that port.


> > In mods-available/ldap, at line 77, I read the suggestion:
> > ldapsearch -D ${identity} -w ${password} -h ${server} -b 'CN=user,${base_dn}'
...
> 
>   Ask the people who wrote ldapsearch.
> 
Checked: "-h" does not exist in ldapsearch 2.5.13

Weeks ago, other tests with an older ldapsearch (and older debian), using "-h" and port 389, were not relevant, because our LDAP server rejects non-secure LDAP connections.
Could this be the issue? Does rlm_ldap need port 389 to accept/reply I-dont-know-what before using 636?

https://wiki.freeradius.org/modules/rlm_ldap#errors-with-ldap-over-tls-connections suggests to check for: "... probably using a version of libldap that has been built with NSS ..."
I'm not using Red Hat, should I check as well? 
(using Debian11.5, $OpenLDAP: ldapsearch 2.5.13+dfsg-5)  

Pietro