diff --git a/config.h.in b/config.h.in
index 18d97490c..5ed4b5222 100644
--- a/config.h.in
+++ b/config.h.in
@@ -466,6 +466,9 @@
 /* Define to 1 if you use LDAP for sudoers. */
 #undef HAVE_LDAP
 
+/* Define to 1 if you have the <ldapssl.h> header file. */
+#undef HAVE_LDAPSSL_H
+
 /* Define to 1 if you have the `ldapssl_init' function. */
 #undef HAVE_LDAPSSL_INIT
 
diff --git a/configure b/configure
index 9d646661d..f5428e276 100755
--- a/configure
+++ b/configure
@@ -26259,7 +26259,7 @@ done
 	    fi
 	fi
     fi
-    for ac_header in ldap_ssl.h mps/ldap_ssl.h
+    for ac_header in ldapssl.h ldap_ssl.h mps/ldap_ssl.h
 do :
   as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
 ac_fn_c_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header" "#include <ldap.h>
diff --git a/configure.ac b/configure.ac
index 98e4d7295..89ae479e9 100644
--- a/configure.ac
+++ b/configure.ac
@@ -4159,7 +4159,7 @@ if test ${with_ldap-'no'} != "no"; then
 	    fi
 	fi
     fi
-    AC_CHECK_HEADERS([ldap_ssl.h] [mps/ldap_ssl.h], [break], [], [#include <ldap.h>])
+    AC_CHECK_HEADERS([ldapssl.h] [ldap_ssl.h] [mps/ldap_ssl.h], [break], [], [#include <ldap.h>])
     AC_CHECK_FUNCS([ldap_initialize ldap_start_tls_s ldapssl_init ldapssl_set_strength ldap_unbind_ext_s ldap_str2dn ldap_create ldap_sasl_bind_s ldap_ssl_init ldap_ssl_client_init ldap_start_tls_s_np])
     AC_CHECK_FUNCS([ldap_search_ext_s ldap_search_st], [break])
 
diff --git a/plugins/sudoers/ldap.c b/plugins/sudoers/ldap.c
index d5a647ab4..3a1a44cf1 100644
--- a/plugins/sudoers/ldap.c
+++ b/plugins/sudoers/ldap.c
@@ -46,7 +46,9 @@
 # include <lber.h>
 #endif
 #include <ldap.h>
-#if defined(HAVE_LDAP_SSL_H)
+#if defined(HAVE_LDAPSSL_H)
+# include <ldapssl.h>
+#elif defined(HAVE_LDAP_SSL_H)
 # include <ldap_ssl.h>
 #elif defined(HAVE_MPS_LDAP_SSL_H)
 # include <mps/ldap_ssl.h>
@@ -262,8 +264,8 @@ sudo_ldap_init(LDAP **ldp, const char *host, int port)
 	ret = ldap_ssl_client_init(ldap_conf.tls_keyfile, ldap_conf.tls_keypw,
 	    0, &sslrc);
 	if (ret != LDAP_SUCCESS) {
-	    sudo_warnx("ldap_ssl_client_init(): %s (SSL reason code %d)",
-		ldap_err2string(ret), sslrc);
+	    sudo_warnx("ldap_ssl_client_init(): %s: %s",
+		ldap_err2string(ret), ssl_err2string(sslrc));
 	    goto done;
 	}
 	DPRINTF2("ldap_ssl_init(%s, %d, NULL)", host, port);
@@ -1680,8 +1682,8 @@ sudo_ldap_open(struct sudo_nss *nss)
 	rc = ldap_ssl_client_init(ldap_conf.tls_keyfile, ldap_conf.tls_keypw,
 	    0, &sslrc);
 	if (rc != LDAP_SUCCESS) {
-	    sudo_warnx("ldap_ssl_client_init(): %s (SSL reason code %d)",
-		ldap_err2string(rc), sslrc);
+	    sudo_warnx("ldap_ssl_client_init(): %s: %s",
+		ldap_err2string(rc), ssl_err2string(sslrc));
 	    goto done;
 	}
 	rc = ldap_start_tls_s_np(ld, NULL);