I noticed the following bug fix in referral chasing
This seems only to take care of the usage with pam ldap lib. What if
the ldap connection is not from the pam lib? In that case, when an
ldap operation reaches a referral point, would the new connection be
consistent if the original connection is using TLS(and the referral
url is not using ldaps)? Our test shows it is not. Please advice, if
that is also a security hole?