sudo: ldap_start_tls_s(): Connect error
associated with this error message in the logs:
sudo: in openpam_check_error_code(): pam_sm_authenticate(): unexpected return value 27
Check that your ldap.conf TLS parameters are correct! In my case, Ansible pushed a bunch of pending config changes (and an OS update) to a neglected host, one of which included moving the CA certificate file, but failed to update the ldap.conf file. I chased my tail for a bit, thinking the issue was with nslcd.conf.
You may also notice a corresponding error in the log of the LDAP server. In the case of slapd:
slapd[40731]: conn=4892528 fd=219 closed (TLS negotiation failure)
 
