Can't get starttls with ldap to work


We’re running Grafana from master/head and we’re trying to use STARTTLS with ldap authentication, but it doesn’t seem to work. I can see that grafana is contacting my openldap server on port 389 as configured, but it fails to issue the “STARTTLS” command, and goes directly into binding, which fails, since my openldap is configured to require tls, even though i do have “start_tls=true” in ldap.toml.

5bfd07ca conn=1105 fd=15 ACCEPT from IP= (IP=
5bfd07ca conn=1105 op=0 BIND dn="cn=binduser,dc=example,dc=com" method=128
5bfd07ca conn=1105 op=0 RESULT tag=97 err=13 text=confidentiality required
5bfd07ca conn=1105 fd=15 closed (connection lost)

I would expect that when using “start_tls=true”, rendered something like this:

5bfbfc7c conn=1007 fd=14 ACCEPT from IP= (IP=
5bfbfc7c conn=1007 op=0 EXT oid=
5bfbfc7c conn=1007 op=0 STARTTLS
5bfbfc7c conn=1007 op=0 RESULT oid= err=0 text=
5bfbfc7c conn=1007 fd=14 TLS established tls_ssf=128 ssf=128
5bfbfc7c conn=1007 op=1 BIND dn="cn=binduser,dc=example,dc=com" method=128

If i run with “use_ssl=true” and over port 636 it works. But as openldap FAQ says: “ldaps:// is deprecated in favor of Start TLS [RFC2830].”.

Is anyone else successfully using start_tls with openldap?