require that ldap_pvt_thread_t can be cast to u.long and is not wider.
ITS#5010: In ldap_X509dn2bv(), catch error return from ber_decode_oid().

causes ldap_pvt_thread_self to be called with the wrong prototype.

That can cause OpenSSL to use a garbage value, e.g. if the unsigned
long it expects takes two words but ldap_pvt_thread_t is an int.

I'm fixing it in HEAD now and also provoking an error if unsigned
long cannot hold a ldap_pvt_thread_t.  Otherwise it can silently
compile to broken code.  Maybe the latter should go in configure,
but since OpenSSL presumably breaks anyway if that fails I don't
see much point at this time.

The Written Word and Stanford University.

is done

(with notable exceptions: ignore tests for EINTR which winsock never sets)

Move TLS options into struct ldapoptions.
  Added ldap_int_tls_destroy()
  Added LDAP_OPT_X_TLS_NEWCTX to generate new SSL_CTX

with tls_opt_require_cert = TRY or DEMAND. Ignore requirements for clients.

ldap_initializ'ing an LD and before connecting on it. Really all of the
global TLS options belong in the ldapoptions struct, instead of static vars.

keyfile, certfile, cacertfile, or cacertdir is
provided.  Note that TLS can be properly configured
without any of these when non-X.509 cipher suites
are used, so this might have be rethought.