The LDAP authentication module should get support for binddn (i…e not binding as the user logging in), recursive lookups (nested groups) and SSL.
auth_ldap_binddn and auth_ldap_bindpw should be used if present. Relevant for when you have a LDAP setup where users can’t bind as themselves to check the password.
auth_ldap_recursive and auth_ldap_recursive_maxdepth should be used if present. Useful if a user is a member of a group that is a member of a group that you’re doing the lookup in. auth_ldap_objectclass should also probably be included in this.
SSL should be an option. Currently it assumes ldap:// when doing the bind, and the next-best thing is to use StartTLS (with auth_ldap_starttls = ‘require’), but that isn’t really secure.