ssl on
ssl start_tls
Most certailnly it will not solve your problem but those are contradictory.
'ssl on' makes pam_ldap tries to connect to the server using port 636 (ldaps)
while 'ssl start_tls' uses the normal 389 port.

Regards,
Thierry