diff --git a/dirmngr/Makefile.am b/dirmngr/Makefile.am
index 77ca3f571..f56e59a3e 100644
--- a/dirmngr/Makefile.am
+++ b/dirmngr/Makefile.am
@@ -76,6 +76,7 @@ endif
 if USE_LDAP
 dirmngr_SOURCES += ldapserver.h ldapserver.c ldap.c w32-ldap-help.h \
                    ldap-wrapper.h ldap-parse-uri.c ldap-parse-uri.h \
+                   ldap-misc.c ldap-misc.h \
                    ks-engine-ldap.c $(ldap_url) ldap-wrapper.c
 ldaplibs = $(LDAPLIBS)
 else
@@ -93,7 +94,7 @@ endif
 dirmngr_LDFLAGS = $(extra_bin_ldflags)
 
 if USE_LDAP
-dirmngr_ldap_SOURCES = dirmngr_ldap.c $(ldap_url)
+dirmngr_ldap_SOURCES = dirmngr_ldap.c ldap-misc.c ldap-misc.h $(ldap_url)
 dirmngr_ldap_CFLAGS = $(GPG_ERROR_CFLAGS) $(LIBGCRYPT_CFLAGS)
 dirmngr_ldap_LDFLAGS =
 dirmngr_ldap_LDADD = $(libcommon) \
@@ -120,7 +121,7 @@ t_common_ldadd = $(libcommon) $(LIBASSUAN_LIBS) $(LIBGCRYPT_LIBS) \
 module_tests = t-http-basic
 
 if USE_LDAP
-module_tests += t-ldap-parse-uri
+module_tests += t-ldap-parse-uri t-ldap-misc
 endif
 
 # Test which need a network connections are only used in maintainer mode.
@@ -156,16 +157,23 @@ t_http_basic_CFLAGS  = -DWITHOUT_NPTH=1  $(USE_C99_CFLAGS) \
 t_http_basic_LDADD   = $(t_common_ldadd) \
 	         $(NTBTLS_LIBS) $(KSBA_LIBS) $(LIBGNUTLS_LIBS) $(DNSLIBS)
 
-
 t_ldap_parse_uri_SOURCES = \
 	t-ldap-parse-uri.c ldap-parse-uri.c ldap-parse-uri.h \
-        http.c http-common.c dns-stuff.c \
+        http.c http-common.c dns-stuff.c ldap-misc.c \
         $(ldap_url) $(t_common_src)
 t_ldap_parse_uri_CFLAGS = -DWITHOUT_NPTH=1  $(USE_C99_CFLAGS) \
 			  $(LIBGCRYPT_CFLAGS) \
                           $(LIBASSUAN_CFLAGS) $(GPG_ERROR_CFLAGS)
 t_ldap_parse_uri_LDADD = $(ldaplibs) $(t_common_ldadd) $(DNSLIBS)
 
+t_ldap_misc_SOURCES = t-ldap-misc.c ldap-misc.c ldap-misc.h $(ldap_url)
+t_ldap_misc_CFLAGS = -DWITHOUT_NPTH=1 $(GPG_ERROR_CFLAGS) $(LIBGCRYPT_CFLAGS)
+t_ldap_misc_LDFLAGS =
+t_ldap_misc_LDADD = $(libcommon) \
+		     $(GPG_ERROR_LIBS) $(LIBGCRYPT_LIBS) $(LDAPLIBS) \
+		     $(LBER_LIBS) $(LIBINTL) $(LIBICONV) $(NETLIBS)
+
+
 t_dns_stuff_CFLAGS = -DWITHOUT_NPTH=1  $(USE_C99_CFLAGS) \
 		     $(LIBGCRYPT_CFLAGS) \
 	             $(LIBASSUAN_CFLAGS) $(GPG_ERROR_CFLAGS)
diff --git a/dirmngr/crlfetch.c b/dirmngr/crlfetch.c
index c8091f6f6..e355aab16 100644
--- a/dirmngr/crlfetch.c
+++ b/dirmngr/crlfetch.c
@@ -240,7 +240,7 @@ crl_fetch (ctrl_t ctrl, const char *url, ksba_reader_t *reader)
       else
         {
 #       if USE_LDAP
-          err = url_fetch_ldap (ctrl, url, NULL, 0, reader);
+          err = url_fetch_ldap (ctrl, url, reader);
 #       else /*!USE_LDAP*/
           err = gpg_error (GPG_ERR_NOT_IMPLEMENTED);
 #       endif /*!USE_LDAP*/
@@ -513,7 +513,7 @@ fetch_cert_by_url (ctrl_t ctrl, const char *url,
   else /* Assume LDAP.  */
     {
 #if USE_LDAP
-      err = url_fetch_ldap (ctrl, url, NULL, 0, &reader);
+      err = url_fetch_ldap (ctrl, url, &reader);
 #else
       (void)ctrl;
       (void)url;
diff --git a/dirmngr/crlfetch.h b/dirmngr/crlfetch.h
index 3822adb54..f30965301 100644
--- a/dirmngr/crlfetch.h
+++ b/dirmngr/crlfetch.h
@@ -62,8 +62,7 @@ void crl_close_reader (ksba_reader_t reader);
 
 /*-- ldap.c --*/
 gpg_error_t url_fetch_ldap (ctrl_t ctrl,
-                            const char *url, const char *host, int port,
-                            ksba_reader_t *reader);
+                            const char *url, ksba_reader_t *reader);
 gpg_error_t attr_fetch_ldap (ctrl_t ctrl,
                              const char *dn, const char *attr,
                              ksba_reader_t *reader);
diff --git a/dirmngr/dirmngr_ldap.c b/dirmngr/dirmngr_ldap.c
index 7d19410f3..ba256a877 100644
--- a/dirmngr/dirmngr_ldap.c
+++ b/dirmngr/dirmngr_ldap.c
@@ -1,5 +1,5 @@
 /* dirmngr-ldap.c  -  The LDAP helper for dirmngr.
- * Copyright (C) 2004 g10 Code GmbH
+ * Copyright (C) 2004, 2021 g10 Code GmbH
  * Copyright (C) 2010 Free Software Foundation, Inc.
  *
  * This file is part of GnuPG.
@@ -52,10 +52,10 @@
 #include "../common/stringhelp.h"
 #include "../common/mischelp.h"
 #include "../common/strlist.h"
-
-#include "../common/i18n.h"
 #include "../common/util.h"
 #include "../common/init.h"
+#include "ldap-misc.h"
+
 
 /* There is no need for the npth_unprotect and leave functions here;
  * thus we redefine them to nops.  We keep them in the code just for
@@ -87,11 +87,11 @@ enum
     oUser,
     oPass,
     oEnvPass,
-    oDN,
-    oFilter,
+    oBase,
     oAttr,
-    oTls,
-
+    oStartTLS,
+    oLdapTLS,
+    oNtds,
     oOnlySearchTimeout,
     oLogWithPID
   };
@@ -99,40 +99,41 @@ enum
 
 /* The list of options as used by the argparse.c code.  */
 static gpgrt_opt_t opts[] = {
-  { oVerbose,  "verbose",   0, N_("verbose") },
-  { oQuiet,    "quiet",     0, N_("be somewhat more quiet") },
-  { oTimeout,  "timeout",   1, N_("|N|set LDAP timeout to N seconds")},
-  { oMulti,    "multi",     0, N_("return all values in"
-                                  " a record oriented format")},
+  { oVerbose,  "verbose",   0, "verbose" },
+  { oQuiet,    "quiet",     0, "be somewhat more quiet" },
+  { oTimeout,  "timeout",   1, "|N|set LDAP timeout to N seconds"},
+  { oMulti,    "multi",     0, "return all values in"
+                               " a record oriented format"},
   { oProxy,    "proxy",     2,
-    N_("|NAME|ignore host part and connect through NAME")},
-  { oTls,      "tls",       0, N_("force a TLS connection")},
-  { oHost,     "host",      2, N_("|NAME|connect to host NAME")},
-  { oPort,     "port",      1, N_("|N|connect to port N")},
-  { oUser,     "user",      2, N_("|NAME|use user NAME for authentication")},
-  { oPass,     "pass",      2, N_("|PASS|use password PASS"
-                                  " for authentication")},
-  { oEnvPass,  "env-pass",  0, N_("take password from $DIRMNGR_LDAP_PASS")},
-  { oDN,       "dn",        2, N_("|STRING|query DN STRING")},
-  { oFilter,   "filter",    2, N_("|STRING|use STRING as filter expression")},
-  { oAttr,     "attr",      2, N_("|STRING|return the attribute STRING")},
+                "|NAME|ignore host part and connect through NAME"},
+  { oStartTLS, "starttls",  0, "use STARTLS for the conenction"},
+  { oLdapTLS,  "ldaptls",   0, "use a TLS for the connection"},
+  { oNtds,     "ntds",      0, "authenticate using AD"},
+  { oHost,     "host",      2, "|NAME|connect to host NAME"},
+  { oPort,     "port",      1, "|N|connect to port N"},
+  { oUser,     "user",      2, "|NAME|use NAME for authentication"},
+  { oPass,     "pass",      2, "|PASS|use password PASS"
+                               " for authentication"},
+  { oEnvPass,  "env-pass",  0, "take password from $DIRMNGR_LDAP_PASS"},
+  { oBase,     "base",      2, "|DN|Start query at DN"},
+  { oAttr,     "attr",      2, "|STRING|return the attribute STRING"},
   { oOnlySearchTimeout, "only-search-timeout", 0, "@"},
   { oLogWithPID,"log-with-pid", 0, "@"},
   ARGPARSE_end ()
 };
 
 
-/* A structure with module options.  This is not a static variable
-   because if we are not build as a standalone binary, each thread
-   using this module needs to handle its own values.  */
-struct my_opt_s
+/* A structure with module options.  */
+static struct
 {
   int quiet;
   int verbose;
   my_ldap_timeval_t timeout;/* Timeout for the LDAP search functions.  */
   unsigned int alarm_timeout; /* And for the alarm based timeout.  */
   int multi;
-  int force_tls;
+  int starttls;
+  int ldaptls;
+  int ntds;
 
   estream_t outstream;    /* Send output to this stream.  */
 
@@ -142,19 +143,18 @@ struct my_opt_s
   char *user;  /* Authentication user.  */
   char *pass;  /* Authentication password.  */
   char *host;  /* Override host.  */
-  int port;    /* Override port.  */
-  char *dn;    /* Override DN.  */
-  char *filter;/* Override filter.  */
+  int  port;   /* Override port.  */
+  char *base;  /* Override DN.  */
   char *attr;  /* Override attribute.  */
-};
-typedef struct my_opt_s *my_opt_t;
+} opt;
 
 
 /* Prototypes.  */
 #ifndef HAVE_W32_SYSTEM
 static void catch_alarm (int dummy);
 #endif
-static int process_url (my_opt_t myopt, const char *url);
+static gpg_error_t connect_ldap (LDAP **r_ld);
+static gpg_error_t process_filter (LDAP *ld, const char *string);
 
 
 
@@ -172,14 +172,14 @@ my_strusage (int level)
     case 13: p = VERSION; break;
     case 14: p = GNUPG_DEF_COPYRIGHT_LINE; break;
     case 17: p = PRINTABLE_OS_NAME; break;
-    case 19: p = _("Please report bugs to <@EMAIL@>.\n"); break;
+    case 19: p = "Please report bugs to <@EMAIL@>.\n"; break;
     case 49: p = PACKAGE_BUGREPORT; break;
     case 1:
     case 40: p =
-               _("Usage: dirmngr_ldap [options] [URL] (-h for help)\n");
+               "Usage: dirmngr_ldap [options] filters (-h for help)\n";
       break;
     case 41: p =
-          _("Syntax: dirmngr_ldap [options] [URL]\n"
+           ("Syntax: dirmngr_ldap [options] filters\n"
             "Internal LDAP helper for Dirmngr\n"
             "Interface and options may change without notice\n");
       break;
@@ -197,29 +197,23 @@ main (int argc, char **argv)
   int any_err = 0;
   char *p;
   int only_search_timeout = 0;
-  struct my_opt_s my_opt_buffer;
-  my_opt_t myopt = &my_opt_buffer;
   char *malloced_buffer1 = NULL;
-
-  memset (&my_opt_buffer, 0, sizeof my_opt_buffer);
+  LDAP *ld;
 
   early_system_init ();
 
   gpgrt_set_strusage (my_strusage);
   log_set_prefix ("dirmngr_ldap", GPGRT_LOG_WITH_PREFIX);
 
-  /* Setup I18N and common subsystems. */
-  i18n_init();
-
   init_common_subsystems (&argc, &argv);
 
   es_set_binary (es_stdout);
-  myopt->outstream = es_stdout;
+  opt.outstream = es_stdout;
 
   /* LDAP defaults */
-  myopt->timeout.tv_sec = DEFAULT_LDAP_TIMEOUT;
-  myopt->timeout.tv_usec = 0;
-  myopt->alarm_timeout = 0;
+  opt.timeout.tv_sec = DEFAULT_LDAP_TIMEOUT;
+  opt.timeout.tv_usec = 0;
+  opt.alarm_timeout = 0;
 
   /* Parse the command line.  */
   pargs.argc = &argc;
@@ -229,27 +223,28 @@ main (int argc, char **argv)
     {
       switch (pargs.r_opt)
         {
-        case oVerbose: myopt->verbose++; break;
-        case oQuiet: myopt->quiet++; break;
+        case oVerbose: opt.verbose++; break;
+        case oQuiet: opt.quiet++; break;
 	case oTimeout:
-	  myopt->timeout.tv_sec = pargs.r.ret_int;
-	  myopt->timeout.tv_usec = 0;
-          myopt->alarm_timeout = pargs.r.ret_int;
+	  opt.timeout.tv_sec = pargs.r.ret_int;
+	  opt.timeout.tv_usec = 0;
+          opt.alarm_timeout = pargs.r.ret_int;
 	  break;
         case oOnlySearchTimeout: only_search_timeout = 1; break;
-        case oMulti: myopt->multi = 1; break;
-        case oUser: myopt->user = pargs.r.ret_str; break;
-        case oPass: myopt->pass = pargs.r.ret_str; break;
+        case oStartTLS: opt.starttls = 1; opt.ldaptls = 0; break;
+        case oLdapTLS:  opt.starttls = 0; opt.ldaptls = 1; break;
+        case oNtds:     opt.ntds = 1; break;
+        case oMulti: opt.multi = 1; break;
+        case oUser: opt.user = pargs.r.ret_str; break;
+        case oPass: opt.pass = pargs.r.ret_str; break;
         case oEnvPass:
-          myopt->pass = getenv ("DIRMNGR_LDAP_PASS");
+          opt.pass = getenv ("DIRMNGR_LDAP_PASS");
           break;
-        case oProxy: myopt->proxy = pargs.r.ret_str; break;
-        case oTls:  myopt->force_tls = 1; break;
-        case oHost: myopt->host = pargs.r.ret_str; break;
-        case oPort: myopt->port = pargs.r.ret_int; break;
-        case oDN:   myopt->dn = pargs.r.ret_str; break;
-        case oFilter: myopt->filter = pargs.r.ret_str; break;
-        case oAttr: myopt->attr = pargs.r.ret_str; break;
+        case oProxy: opt.proxy = pargs.r.ret_str; break;
+        case oHost: opt.host = pargs.r.ret_str; break;
+        case oPort: opt.port = pargs.r.ret_int; break;
+        case oBase: opt.base = pargs.r.ret_str; break;
+        case oAttr: opt.attr = pargs.r.ret_str; break;
         case oLogWithPID:
           {
             unsigned int oldflags;
@@ -266,36 +261,45 @@ main (int argc, char **argv)
   gpgrt_argparse (NULL, &pargs, NULL);
 
   if (only_search_timeout)
-    myopt->alarm_timeout = 0;
+    opt.alarm_timeout = 0;
 
-  if (myopt->proxy)
+  if (opt.proxy)
     {
-      malloced_buffer1 = xtrystrdup (myopt->proxy);
+      malloced_buffer1 = xtrystrdup (opt.proxy);
       if (!malloced_buffer1)
         {
           log_error ("error copying string: %s\n", strerror (errno));
           return 1;
         }
-      myopt->host = malloced_buffer1;
-      p = strchr (myopt->host, ':');
+      opt.host = malloced_buffer1;
+      p = strchr (opt.host, ':');
       if (p)
         {
           *p++ = 0;
-          myopt->port = atoi (p);
+          opt.port = atoi (p);
         }
-      if (!myopt->port)
-        myopt->port = 389;  /* make sure ports gets overridden.  */
+      if (!opt.port)
+        opt.port = 389;  /* make sure ports gets overridden.  */
     }
 
-  if (myopt->port < 0 || myopt->port > 65535)
-    log_error (_("invalid port number %d\n"), myopt->port);
+  if (opt.port < 0 || opt.port > 65535)
+    log_error ("invalid port number %d\n", opt.port);
+
+  if (!opt.port)
+    opt.port = opt.ldaptls? 636 : 389;
+
+#ifndef HAVE_W32_SYSTEM
+  if (!opt.host)
+    opt.host = "localhost";
+#endif
+
 
   if (log_get_errorcount (0))
     exit (2);
   if (argc < 1)
     gpgrt_usage (1);
 
-  if (myopt->alarm_timeout)
+  if (opt.alarm_timeout)
     {
 #ifndef HAVE_W32_SYSTEM
 # if defined(HAVE_SIGACTION) && defined(HAVE_STRUCT_SIGACTION)
@@ -312,9 +316,15 @@ main (int argc, char **argv)
 #endif
     }
 
-  for (; argc; argc--, argv++)
-    if (process_url (myopt, *argv))
-      any_err = 1;
+  if (connect_ldap (&ld))
+    any_err = 1;
+  else
+    {
+      for (; argc; argc--, argv++)
+        if (process_filter (ld, *argv))
+          any_err = 1;
+      ldap_unbind (ld);
+    }
 
   xfree (malloced_buffer1);
   return any_err;
@@ -345,16 +355,16 @@ alarm_thread (void *arg)
 
 
 static void
-set_timeout (my_opt_t myopt)
+set_timeout (void)
 {
-  if (myopt->alarm_timeout)
+  if (opt.alarm_timeout)
     {
 #ifdef HAVE_W32_SYSTEM
       static HANDLE timer;
       LARGE_INTEGER due_time;
 
       /* A negative value is a relative time.  */
-      due_time.QuadPart = (unsigned long long)-10000000 * myopt->alarm_timeout;
+      due_time.QuadPart = (unsigned long long)-10000000 * opt.alarm_timeout;
 
       if (!timer)
         {
@@ -376,15 +386,192 @@ set_timeout (my_opt_t myopt)
       else /* Retrigger the timer.  */
         SetWaitableTimer (timer, &due_time, 0, NULL, NULL, 0);
 #else
-      alarm (myopt->alarm_timeout);
+      alarm (opt.alarm_timeout);
 #endif
     }
 }
 
 
+
+/* Connect to the ldap server.  On success the connection handle is
+ * stored at R_LD. */
+static gpg_error_t
+connect_ldap (LDAP **r_ld)
+{
+  gpg_error_t err = 0;
+  int lerr;
+  LDAP *ld = NULL;
+#ifndef HAVE_W32_SYSTEM
+  char *tmpstr;
+#endif
+
+  *r_ld = NULL;
+
+  if (opt.starttls || opt.ldaptls)
+    {
+#ifndef HAVE_LDAP_START_TLS_S
+      log_error ("ldap: can't connect to the server: no TLS support.");
+      err = GPG_ERR_LDAP_NOT_SUPPORTED;
+      goto leave;
+#endif
+    }
+
+
+  set_timeout ();
+#ifdef HAVE_W32_SYSTEM
+  npth_unprotect ();
+  ld = ldap_sslinit (opt.host, opt.port, opt.ldaptls);
+  npth_protect ();
+  if (!ld)
+    {
+      lerr = LdapGetLastError ();
+      err = ldap_err_to_gpg_err (lerr);
+      log_error ("error initializing LDAP '%s:%d': %s\n",
+                 opt.host, opt.port, ldap_err2string (lerr));
+      goto leave;
+    }
+#else /* Unix */
+  tmpstr = xtryasprintf ("%s://%s:%d",
+                         opt.ldaptls? "ldaps" : "ldap",
+                         opt.host, opt.port);
+  if (!tmpstr)
+    {
+      err = gpg_error_from_syserror ();
+      goto leave;
+    }
+  npth_unprotect ();
+  lerr = ldap_initialize (&ld, tmpstr);
+  npth_protect ();
+  if (lerr || !ld)
+    {
+      err = ldap_err_to_gpg_err (lerr);
+      log_error ("error initializing LDAP '%s': %s\n",
+                 tmpstr, ldap_err2string (lerr));
+      xfree (tmpstr);
+      goto leave;
+    }
+  xfree (tmpstr);
+#endif /* Unix */
+
+  if (opt.verbose)
+    log_info ("LDAP connected to '%s:%d'%s\n",
+              opt.host, opt.port,
+              opt.starttls? " using STARTTLS" :
+              opt.ldaptls?  " using LDAP-over-TLS" : "");
+
+
+#ifdef HAVE_LDAP_SET_OPTION
+  {
+    int ver = LDAP_VERSION3;
+
+    lerr = ldap_set_option (ld, LDAP_OPT_PROTOCOL_VERSION, &ver);
+    if (lerr != LDAP_SUCCESS)
+      {
+	log_error ("unable to go to LDAP 3: %s\n", ldap_err2string (lerr));
+	err = ldap_err_to_gpg_err (lerr);
+	goto leave;
+      }
+  }
+#endif
+
+
+#ifdef HAVE_LDAP_START_TLS_S
+  if (opt.starttls)
+    {
+#ifndef HAVE_W32_SYSTEM
+      int check_cert = LDAP_OPT_X_TLS_HARD; /* LDAP_OPT_X_TLS_NEVER */
+
+      lerr = ldap_set_option (ld, LDAP_OPT_X_TLS_REQUIRE_CERT, &check_cert);
+      if (lerr)
+	{
+	  log_error ("ldap: error setting an TLS option: %s\n",
+                     ldap_err2string (lerr));
+          err = ldap_err_to_gpg_err (lerr);
+	  goto leave;
+	}
+#else
+      /* On Windows, the certificates are checked by default.  If the
+	 option to disable checking mentioned above is ever
+	 implemented, the way to do that on Windows is to install a
+	 callback routine using ldap_set_option (..,
+	 LDAP_OPT_SERVER_CERTIFICATE, ..); */
+#endif
+
+      npth_unprotect ();
+      lerr = ldap_start_tls_s (ld,
+#ifdef HAVE_W32_SYSTEM
+			      /* ServerReturnValue, result */
+			      NULL, NULL,
+#endif
+			      /* ServerControls, ClientControls */
+			      NULL, NULL);
+      npth_protect ();
+      if (lerr)
+	{
+	  log_error ("ldap: error switching to STARTTLS mode: %s\n",
+                     ldap_err2string (lerr));
+          err = ldap_err_to_gpg_err (lerr);
+	  goto leave;
+	}
+    }
+#endif
+
+  if (opt.ntds)
+    {
+      if (opt.verbose)
+        log_info ("binding to current user via AD\n");
+#ifdef HAVE_W32_SYSTEM
+      npth_unprotect ();
+      lerr = ldap_bind_s (ld, NULL, NULL, LDAP_AUTH_NEGOTIATE);
+      npth_protect ();
+      if (lerr != LDAP_SUCCESS)
+	{
+	  log_error ("error binding to LDAP via AD: %s\n",
+                     ldap_err2string (lerr));
+          err = ldap_err_to_gpg_err (lerr);
+	  goto leave;
+	}
+#else /* Unix */
+      err = gpg_error (GPG_ERR_NOT_SUPPORTED);
+      goto leave;
+#endif /* Unix */
+    }
+  else if (opt.user)
+    {
+      if (opt.verbose)
+        log_info ("LDAP bind to '%s', password '%s'\n",
+                   opt.user, opt.pass ? ">not_shown<" : ">none<");
+
+      npth_unprotect ();
+      lerr = ldap_simple_bind_s (ld, opt.user, opt.pass);
+      npth_protect ();
+      if (lerr != LDAP_SUCCESS)
+	{
+	  log_error ("error binding to LDAP: %s\n", ldap_err2string (lerr));
+          err = ldap_err_to_gpg_err (lerr);
+	  goto leave;
+	}
+    }
+  else
+    {
+      /* By default we don't bind as there is usually no need to.  */
+    }
+
+ leave:
+  if (err)
+    {
+      if (ld)
+        ldap_unbind (ld);
+    }
+  else
+    *r_ld = ld;
+  return err;
+}
+
+
 /* Helper for fetch_ldap().  */
 static int
-print_ldap_entries (my_opt_t myopt, LDAP *ld, LDAPMessage *msg, char *want_attr)
+print_ldap_entries (LDAP *ld, LDAPMessage *msg, char *want_attr)
 {
   LDAPMessage *item;
   int any = 0;
@@ -396,15 +583,15 @@ print_ldap_entries (my_opt_t myopt, LDAP *ld, LDAPMessage *msg, char *want_attr)
       BerElement *berctx;
       char *attr;
 
-      if (myopt->verbose > 1)
-        log_info (_("scanning result for attribute '%s'\n"),
+      if (opt.verbose > 1)
+        log_info ("scanning result for attribute '%s'\n",
                   want_attr? want_attr : "[all]");
 
-      if (myopt->multi)
+      if (opt.multi)
         { /*  Write item marker. */
-          if (es_fwrite ("I\0\0\0\0", 5, 1, myopt->outstream) != 1)
+          if (es_fwrite ("I\0\0\0\0", 5, 1, opt.outstream) != 1)
             {
-              log_error (_("error writing to stdout: %s\n"),
+              log_error ("error writing to stdout: %s\n",
                          strerror (errno));
               return -1;
             }
@@ -420,10 +607,10 @@ print_ldap_entries (my_opt_t myopt, LDAP *ld, LDAPMessage *msg, char *want_attr)
           struct berval **values;
           int idx;
 
-          if (myopt->verbose > 1)
-            log_info (_("          available attribute '%s'\n"), attr);
+          if (opt.verbose > 1)
+            log_info ("          available attribute '%s'\n", attr);
 
-          set_timeout (myopt);
+          set_timeout ();
 
           /* I case we want only one attribute we do a case
              insensitive compare without the optional extension
@@ -458,23 +645,23 @@ print_ldap_entries (my_opt_t myopt, LDAP *ld, LDAPMessage *msg, char *want_attr)
 
           if (!values)
             {
-              if (myopt->verbose)
-                log_info (_("attribute '%s' not found\n"), attr);
+              if (opt.verbose)
+                log_info ("attribute '%s' not found\n", attr);
               ldap_memfree (attr);
               continue;
             }
 
-          if (myopt->verbose)
+          if (opt.verbose)
             {
-              log_info (_("found attribute '%s'\n"), attr);
-              if (myopt->verbose > 1)
+              log_info ("found attribute '%s'\n", attr);
+              if (opt.verbose > 1)
                 for (idx=0; values[idx]; idx++)
                   log_info ("         length[%d]=%d\n",
                             idx, (int)values[0]->bv_len);
 
             }
 
-          if (myopt->multi)
+          if (opt.multi)
             { /*  Write attribute marker. */
               unsigned char tmp[5];
               size_t n = strlen (attr);
@@ -484,10 +671,10 @@ print_ldap_entries (my_opt_t myopt, LDAP *ld, LDAPMessage *msg, char *want_attr)
               tmp[2] = (n >> 16);
               tmp[3] = (n >> 8);
               tmp[4] = (n);
-              if (es_fwrite (tmp, 5, 1, myopt->outstream) != 1
-                  || es_fwrite (attr, n, 1, myopt->outstream) != 1)
+              if (es_fwrite (tmp, 5, 1, opt.outstream) != 1
+                  || es_fwrite (attr, n, 1, opt.outstream) != 1)
                 {
-                  log_error (_("error writing to stdout: %s\n"),
+                  log_error ("error writing to stdout: %s\n",
                              strerror (errno));
                   ldap_value_free_len (values);
                   ldap_memfree (attr);
@@ -498,7 +685,7 @@ print_ldap_entries (my_opt_t myopt, LDAP *ld, LDAPMessage *msg, char *want_attr)
 
           for (idx=0; values[idx]; idx++)
             {
-              if (myopt->multi)
+              if (opt.multi)
                 { /* Write value marker.  */
                   unsigned char tmp[5];
                   size_t n = values[0]->bv_len;
@@ -509,9 +696,9 @@ print_ldap_entries (my_opt_t myopt, LDAP *ld, LDAPMessage *msg, char *want_attr)
                   tmp[3] = (n >> 8);
                   tmp[4] = (n);
 
-                  if (es_fwrite (tmp, 5, 1, myopt->outstream) != 1)
+                  if (es_fwrite (tmp, 5, 1, opt.outstream) != 1)
                     {
-                      log_error (_("error writing to stdout: %s\n"),
+                      log_error ("error writing to stdout: %s\n",
                                  strerror (errno));
                       ldap_value_free_len (values);
                       ldap_memfree (attr);
@@ -521,9 +708,9 @@ print_ldap_entries (my_opt_t myopt, LDAP *ld, LDAPMessage *msg, char *want_attr)
                 }
 
 	      if (es_fwrite (values[0]->bv_val, values[0]->bv_len,
-                             1, myopt->outstream) != 1)
+                             1, opt.outstream) != 1)
                 {
-                  log_error (_("error writing to stdout: %s\n"),
+                  log_error ("error writing to stdout: %s\n",
                              strerror (errno));
                   ldap_value_free_len (values);
                   ldap_memfree (attr);
@@ -532,18 +719,18 @@ print_ldap_entries (my_opt_t myopt, LDAP *ld, LDAPMessage *msg, char *want_attr)
                 }
 
               any = 1;
-              if (!myopt->multi)
+              if (!opt.multi)
                 break; /* Print only the first value.  */
             }
           ldap_value_free_len (values);
           ldap_memfree (attr);
-          if (want_attr || !myopt->multi)
+          if (want_attr || !opt.multi)
             break; /* We only want to return the first attribute.  */
         }
       ber_free (berctx, 0);
     }
 
-  if (myopt->verbose > 1 && any)
+  if (opt.verbose > 1 && any)
     log_info ("result has been printed\n");
 
   return any?0:-1;
@@ -551,183 +738,51 @@ print_ldap_entries (my_opt_t myopt, LDAP *ld, LDAPMessage *msg, char *want_attr)
 
 
 
-/* Helper for the URL based LDAP query. */
+/* Fetch data from the server at LD using FILTER.  */
 static int
-fetch_ldap (my_opt_t myopt, const char *url, const LDAPURLDesc *ludp)
+fetch_ldap (LDAP *ld, const char *base, int scope, const char *filter)
 {
-  LDAP *ld;
+  gpg_error_t err;
+  int lerr;
   LDAPMessage *msg;
-  int rc = 0;
-  char *host, *dn, *filter, *attrs[2], *attr;
-  int port;
-  int ret;
-  int usetls;
+  char *attrs[2];
 
-  host     = myopt->host?   myopt->host   : ludp->lud_host;
-  port     = myopt->port?   myopt->port   : ludp->lud_port;
-  dn       = myopt->dn?     myopt->dn     : ludp->lud_dn;
-  filter   = myopt->filter? myopt->filter : ludp->lud_filter;
-  attrs[0] = myopt->attr?   myopt->attr   : ludp->lud_attrs? ludp->lud_attrs[0]:NULL;
-  attrs[1] = NULL;
-  attr = attrs[0];
+  if (filter && !*filter)
+    filter = NULL;
 
-  if (!port && myopt->force_tls)
-    port = 636;
-  else if (!port)
-    port = (ludp->lud_scheme && !strcmp (ludp->lud_scheme, "ldaps"))? 636:389;
-
-  if (myopt->verbose)
+  if (opt.verbose)
     {
-      log_info (_("processing url '%s'\n"), url);
-      if (myopt->force_tls)
-        log_info ("forcing tls\n");
-      else
-        log_info ("not forcing tls\n");
-
-      if (myopt->user)
-        log_info (_("          user '%s'\n"), myopt->user);
-      if (myopt->pass)
-        log_info (_("          pass '%s'\n"), *myopt->pass?"*****":"");
-      if (host)
-        log_info (_("          host '%s'\n"), host);
-      log_info (_("          port %d\n"), port);
-      if (dn)
-        log_info (_("            DN '%s'\n"), dn);
+      log_info ("fetching using");
+      if (base)
+        log_printf (" base '%s'", base);
       if (filter)
-        log_info (_("        filter '%s'\n"), filter);
-      if (myopt->multi && !myopt->attr && ludp->lud_attrs)
-        {
-          int i;
-          for (i=0; ludp->lud_attrs[i]; i++)
-            log_info (_("          attr '%s'\n"), ludp->lud_attrs[i]);
-        }
-      else if (attr)
-        log_info (_("          attr '%s'\n"), attr);
+        log_printf (" filter '%s'", filter);
+      log_printf ("\n");
     }
 
+  attrs[0] = opt.attr;
+  attrs[1] = NULL;
 
-  if (!host || !*host)
-    {
-      log_error (_("no host name in '%s'\n"), url);
-      return -1;
-    }
-  if (!myopt->multi && !attr)
-    {
-      log_error (_("no attribute given for query '%s'\n"), url);
-      return -1;
-    }
-
-  if (!myopt->multi && !myopt->attr
-      && ludp->lud_attrs && ludp->lud_attrs[0] && ludp->lud_attrs[1])
-    log_info (_("WARNING: using first attribute only\n"));
-
-  set_timeout (myopt);
-
-  usetls = (myopt->force_tls
-            || (ludp->lud_scheme && !strcmp (ludp->lud_scheme, "ldaps")));
-#if HAVE_W32_SYSTEM
-  if (1)
-    {
-      npth_unprotect ();
-      ld = ldap_sslinit (host, port, usetls);
-      npth_protect ();
-      if (!ld)
-        {
-          ret = LdapGetLastError ();
-          log_error (_("LDAP init to '%s:%d' failed: %s\n"),
-                     host, port, ldap_err2string (ret));
-          return -1;
-        }
-    }
-#else /*!W32*/
-  if (usetls)
-    {
-      char *uri;
-
-      uri = xtryasprintf ("ldaps://%s:%d", host, port);
-      if (!uri)
-        {
-          log_error (_("error allocating memory: %s\n"),
-                     gpg_strerror (gpg_error_from_syserror ()));
-          return -1;
-        }
-      npth_unprotect ();
-      ret = ldap_initialize (&ld, uri);
-      npth_protect ();
-      if (ret)
-        {
-          log_error (_("LDAP init to '%s' failed: %s\n"),
-                     uri, ldap_err2string (ret));
-          xfree (uri);
-          return -1;
-        }
-      else if (myopt->verbose)
-        log_info (_("LDAP init to '%s' done\n"), uri);
-      xfree (uri);
-    }
-  else
-    {
-      /* Keep the old way so to avoid regressions.  Eventually we
-       * should really consider the supplied scheme and use only
-       * ldap_initialize.  */
-      npth_unprotect ();
-      ld = ldap_init (host, port);
-      npth_protect ();
-      if (!ld)
-        {
-          log_error (_("LDAP init to '%s:%d' failed: %s\n"),
-                     host, port, strerror (errno));
-          return -1;
-        }
-    }
-#endif /*!W32*/
-
+  set_timeout ();
   npth_unprotect ();
-  /* Fixme:  Can we use MYOPT->user or is it shared with other theeads?.  */
-  ret = ldap_simple_bind_s (ld, myopt->user, myopt->pass);
+  lerr = ldap_search_st (ld, base, scope, filter,
+                         attrs,
+                         0,
+                         &opt.timeout, &msg);
   npth_protect ();
-#ifdef LDAP_VERSION3
-  if (ret == LDAP_PROTOCOL_ERROR)
+  if (lerr == LDAP_SIZELIMIT_EXCEEDED && opt.multi)
     {
-      /* Protocol error could mean that the server only supports v3. */
-      int version = LDAP_VERSION3;
-      if (myopt->verbose)
-        log_info ("protocol error; retrying bind with v3 protocol\n");
-      npth_unprotect ();
-      ldap_set_option (ld, LDAP_OPT_PROTOCOL_VERSION, &version);
-      ret = ldap_simple_bind_s (ld, myopt->user, myopt->pass);
-      npth_protect ();
-    }
-#endif
-  if (ret)
-    {
-      log_error (_("binding to '%s:%d' failed: %s\n"),
-                 host, port, ldap_err2string (ret));
-      ldap_unbind (ld);
-      return -1;
-    }
-
-  set_timeout (myopt);
-  npth_unprotect ();
-  rc = ldap_search_st (ld, dn, ludp->lud_scope, filter,
-                       myopt->multi && !myopt->attr && ludp->lud_attrs?
-                       ludp->lud_attrs:attrs,
-                       0,
-                       &myopt->timeout, &msg);
-  npth_protect ();
-  if (rc == LDAP_SIZELIMIT_EXCEEDED && myopt->multi)
-    {
-      if (es_fwrite ("E\0\0\0\x09truncated", 14, 1, myopt->outstream) != 1)
+      if (es_fwrite ("E\0\0\0\x09truncated", 14, 1, opt.outstream) != 1)
         {
-          log_error (_("error writing to stdout: %s\n"), strerror (errno));
+          log_error ("error writing to stdout: %s\n", strerror (errno));
           return -1;
         }
     }
-  else if (rc)
+  else if (lerr)
     {
-      log_error (_("searching '%s' failed: %s\n"),
-                 url, ldap_err2string (rc));
-      if (rc != LDAP_NO_SUCH_OBJECT)
+      log_error ("searching '%s' failed: %s\n",
+                 filter, ldap_err2string (lerr));
+      if (lerr != LDAP_NO_SUCH_OBJECT)
         {
           /* FIXME: Need deinit (ld)?  */
           /* Hmmm: Do we need to released MSG in case of an error? */
@@ -735,39 +790,43 @@ fetch_ldap (my_opt_t myopt, const char *url, const LDAPURLDesc *ludp)
         }
     }
 
-  rc = print_ldap_entries (myopt, ld, msg, myopt->multi? NULL:attr);
+  err = print_ldap_entries (ld, msg, opt.multi? NULL:opt.attr);
 
   ldap_msgfree (msg);
-  ldap_unbind (ld);
-  return rc;
+  return err;
 }
 
 
 
 
-/* Main processing.  Take the URL and run the LDAP query. The result
-   is printed to stdout, errors are logged to the log stream. */
-static int
-process_url (my_opt_t myopt, const char *url)
+/* Main processing.  Take the filter and run the LDAP query. The
+ * result is printed to stdout, errors are logged to the log stream.
+ * To allow searching with a different base it is possible to extend
+ * the filer.  For example:
+ *
+ *   ^CN=foo, OU=My Users&(objectClasses=*)
+ *
+ * Uses "CN=foo, OU=My Users" as base DN and "(objectClasses=*)" as
+ * filter.  If the base prefix includes an ampersand, it needs to be
+ * doubled.  The usual escaping rules for DNs (for the base) and
+ * filters apply.  If no scope is given (see ldap_parse_extfilter for
+ * the syntax) subtree scope is used.
+ */
+static gpg_error_t
+process_filter (LDAP *ld, const char *string)
 {
-  int rc;
-  LDAPURLDesc *ludp = NULL;
+  gpg_error_t err;
+  char *base, *filter;
+  int scope = -1;
 
+  err = ldap_parse_extfilter (string, 0, &base, &scope, &filter);
+  if (!err)
+    err = fetch_ldap (ld,
+                      base? base : opt.base,
+                      scope == -1? LDAP_SCOPE_SUBTREE : scope,
+                      filter);
 
-  if (!ldap_is_ldap_url (url))
-    {
-      log_error (_("'%s' is not an LDAP URL\n"), url);
-      return -1;
-    }
-
-  if (ldap_url_parse (url, &ludp))
-    {
-      log_error (_("'%s' is an invalid LDAP URL\n"), url);
-      return -1;
-    }
-
-  rc = fetch_ldap (myopt, url, ludp);
-
-  ldap_free_urldesc (ludp);
-  return rc;
+  xfree (base);
+  xfree (filter);
+  return err;
 }
diff --git a/dirmngr/ks-engine-ldap.c b/dirmngr/ks-engine-ldap.c
index 22700efd5..25f03c3f6 100644
--- a/dirmngr/ks-engine-ldap.c
+++ b/dirmngr/ks-engine-ldap.c
@@ -28,27 +28,15 @@
 # include <getopt.h>
 #endif
 #include <stdlib.h>
-#include <errno.h>
-#include <assert.h>
-
-#ifdef _WIN32
-# include <winsock2.h>
-# include <winldap.h>
-#else
-# ifdef NEED_LBER_H
-#  include <lber.h>
-# endif
-/* For OpenLDAP, to enable the API that we're using. */
-# define LDAP_DEPRECATED 1
-# include <ldap.h>
-#endif
 #include <npth.h>
 
+
 #include "dirmngr.h"
 #include "misc.h"
 #include "../common/userids.h"
 #include "../common/mbox-util.h"
 #include "ks-engine.h"
+#include "ldap-misc.h"
 #include "ldap-parse-uri.h"
 #include "ldapserver.h"
 
@@ -60,177 +48,11 @@
 #define SERVERINFO_NTDS     8 /* Server is an Active Directory.      */
 
 
-
 #ifndef HAVE_TIMEGM
 time_t timegm(struct tm *tm);
 #endif
-
-/* Convert an LDAP error to a GPG error.  */
-static int
-ldap_err_to_gpg_err (int code)
-{
-  gpg_err_code_t ec;
 
-  switch (code)
-    {
-#ifdef LDAP_X_CONNECTING
-    case LDAP_X_CONNECTING: ec = GPG_ERR_LDAP_X_CONNECTING; break;
-#endif
 
-    case LDAP_REFERRAL_LIMIT_EXCEEDED: ec = GPG_ERR_LDAP_REFERRAL_LIMIT; break;
-    case LDAP_CLIENT_LOOP: ec = GPG_ERR_LDAP_CLIENT_LOOP; break;
-    case LDAP_NO_RESULTS_RETURNED: ec = GPG_ERR_LDAP_NO_RESULTS; break;
-    case LDAP_CONTROL_NOT_FOUND: ec = GPG_ERR_LDAP_CONTROL_NOT_FOUND; break;
-    case LDAP_NOT_SUPPORTED: ec = GPG_ERR_LDAP_NOT_SUPPORTED; break;
-    case LDAP_CONNECT_ERROR: ec = GPG_ERR_LDAP_CONNECT; break;
-    case LDAP_NO_MEMORY: ec = GPG_ERR_LDAP_NO_MEMORY; break;
-    case LDAP_PARAM_ERROR: ec = GPG_ERR_LDAP_PARAM; break;
-    case LDAP_USER_CANCELLED: ec = GPG_ERR_LDAP_USER_CANCELLED; break;
-    case LDAP_FILTER_ERROR: ec = GPG_ERR_LDAP_FILTER; break;
-    case LDAP_AUTH_UNKNOWN: ec = GPG_ERR_LDAP_AUTH_UNKNOWN; break;
-    case LDAP_TIMEOUT: ec = GPG_ERR_LDAP_TIMEOUT; break;
-    case LDAP_DECODING_ERROR: ec = GPG_ERR_LDAP_DECODING; break;
-    case LDAP_ENCODING_ERROR: ec = GPG_ERR_LDAP_ENCODING; break;
-    case LDAP_LOCAL_ERROR: ec = GPG_ERR_LDAP_LOCAL; break;
-    case LDAP_SERVER_DOWN: ec = GPG_ERR_LDAP_SERVER_DOWN; break;
-
-    case LDAP_SUCCESS: ec = GPG_ERR_LDAP_SUCCESS; break;
-
-    case LDAP_OPERATIONS_ERROR: ec = GPG_ERR_LDAP_OPERATIONS; break;
-    case LDAP_PROTOCOL_ERROR: ec = GPG_ERR_LDAP_PROTOCOL; break;
-    case LDAP_TIMELIMIT_EXCEEDED: ec = GPG_ERR_LDAP_TIMELIMIT; break;
-    case LDAP_SIZELIMIT_EXCEEDED: ec = GPG_ERR_LDAP_SIZELIMIT; break;
-    case LDAP_COMPARE_FALSE: ec = GPG_ERR_LDAP_COMPARE_FALSE; break;
-    case LDAP_COMPARE_TRUE: ec = GPG_ERR_LDAP_COMPARE_TRUE; break;
-    case LDAP_AUTH_METHOD_NOT_SUPPORTED: ec=GPG_ERR_LDAP_UNSUPPORTED_AUTH;break;
-    case LDAP_STRONG_AUTH_REQUIRED: ec = GPG_ERR_LDAP_STRONG_AUTH_RQRD; break;
-    case LDAP_PARTIAL_RESULTS: ec = GPG_ERR_LDAP_PARTIAL_RESULTS; break;
-    case LDAP_REFERRAL: ec = GPG_ERR_LDAP_REFERRAL; break;
-
-#ifdef LDAP_ADMINLIMIT_EXCEEDED
-    case LDAP_ADMINLIMIT_EXCEEDED: ec = GPG_ERR_LDAP_ADMINLIMIT; break;
-#endif
-
-#ifdef LDAP_UNAVAILABLE_CRITICAL_EXTENSION
-    case LDAP_UNAVAILABLE_CRITICAL_EXTENSION:
-                               ec = GPG_ERR_LDAP_UNAVAIL_CRIT_EXTN; break;
-#endif
-
-    case LDAP_CONFIDENTIALITY_REQUIRED: ec = GPG_ERR_LDAP_CONFIDENT_RQRD; break;
-    case LDAP_SASL_BIND_IN_PROGRESS: ec = GPG_ERR_LDAP_SASL_BIND_INPROG; break;
-    case LDAP_NO_SUCH_ATTRIBUTE: ec = GPG_ERR_LDAP_NO_SUCH_ATTRIBUTE; break;
-    case LDAP_UNDEFINED_TYPE: ec = GPG_ERR_LDAP_UNDEFINED_TYPE; break;
-    case LDAP_INAPPROPRIATE_MATCHING: ec = GPG_ERR_LDAP_BAD_MATCHING; break;
-    case LDAP_CONSTRAINT_VIOLATION: ec = GPG_ERR_LDAP_CONST_VIOLATION; break;
-
-#ifdef LDAP_TYPE_OR_VALUE_EXISTS
-    case LDAP_TYPE_OR_VALUE_EXISTS: ec = GPG_ERR_LDAP_TYPE_VALUE_EXISTS; break;
-#endif
-
-    case LDAP_INVALID_SYNTAX: ec = GPG_ERR_LDAP_INV_SYNTAX; break;
-    case LDAP_NO_SUCH_OBJECT: ec = GPG_ERR_LDAP_NO_SUCH_OBJ; break;
-    case LDAP_ALIAS_PROBLEM: ec = GPG_ERR_LDAP_ALIAS_PROBLEM; break;
-    case LDAP_INVALID_DN_SYNTAX: ec = GPG_ERR_LDAP_INV_DN_SYNTAX; break;
-    case LDAP_IS_LEAF: ec = GPG_ERR_LDAP_IS_LEAF; break;
-    case LDAP_ALIAS_DEREF_PROBLEM: ec = GPG_ERR_LDAP_ALIAS_DEREF; break;
-
-#ifdef LDAP_X_PROXY_AUTHZ_FAILURE
-    case LDAP_X_PROXY_AUTHZ_FAILURE: ec = GPG_ERR_LDAP_X_PROXY_AUTH_FAIL; break;
-#endif
-
-    case LDAP_INAPPROPRIATE_AUTH: ec = GPG_ERR_LDAP_BAD_AUTH; break;
-    case LDAP_INVALID_CREDENTIALS: ec = GPG_ERR_LDAP_INV_CREDENTIALS; break;
-
-#ifdef LDAP_INSUFFICIENT_ACCESS
-    case LDAP_INSUFFICIENT_ACCESS: ec = GPG_ERR_LDAP_INSUFFICIENT_ACC; break;
-#endif
-
-    case LDAP_BUSY: ec = GPG_ERR_LDAP_BUSY; break;
-    case LDAP_UNAVAILABLE: ec = GPG_ERR_LDAP_UNAVAILABLE; break;
-    case LDAP_UNWILLING_TO_PERFORM: ec = GPG_ERR_LDAP_UNWILL_TO_PERFORM; break;
-    case LDAP_LOOP_DETECT: ec = GPG_ERR_LDAP_LOOP_DETECT; break;
-    case LDAP_NAMING_VIOLATION: ec = GPG_ERR_LDAP_NAMING_VIOLATION; break;
-    case LDAP_OBJECT_CLASS_VIOLATION: ec = GPG_ERR_LDAP_OBJ_CLS_VIOLATION; break;
-    case LDAP_NOT_ALLOWED_ON_NONLEAF: ec=GPG_ERR_LDAP_NOT_ALLOW_NONLEAF;break;
-    case LDAP_NOT_ALLOWED_ON_RDN: ec = GPG_ERR_LDAP_NOT_ALLOW_ON_RDN; break;
-    case LDAP_ALREADY_EXISTS: ec = GPG_ERR_LDAP_ALREADY_EXISTS; break;
-    case LDAP_NO_OBJECT_CLASS_MODS: ec = GPG_ERR_LDAP_NO_OBJ_CLASS_MODS; break;
-    case LDAP_RESULTS_TOO_LARGE: ec = GPG_ERR_LDAP_RESULTS_TOO_LARGE; break;
-    case LDAP_AFFECTS_MULTIPLE_DSAS: ec = GPG_ERR_LDAP_AFFECTS_MULT_DSAS; break;
-
-#ifdef LDAP_VLV_ERROR
-    case LDAP_VLV_ERROR: ec = GPG_ERR_LDAP_VLV; break;
-#endif
-
-    case LDAP_OTHER: ec = GPG_ERR_LDAP_OTHER; break;
-
-#ifdef LDAP_CUP_RESOURCES_EXHAUSTED
-    case LDAP_CUP_RESOURCES_EXHAUSTED: ec=GPG_ERR_LDAP_CUP_RESOURCE_LIMIT;break;
-    case LDAP_CUP_SECURITY_VIOLATION: ec=GPG_ERR_LDAP_CUP_SEC_VIOLATION; break;
-    case LDAP_CUP_INVALID_DATA: ec = GPG_ERR_LDAP_CUP_INV_DATA; break;
-    case LDAP_CUP_UNSUPPORTED_SCHEME: ec = GPG_ERR_LDAP_CUP_UNSUP_SCHEME; break;
-    case LDAP_CUP_RELOAD_REQUIRED: ec = GPG_ERR_LDAP_CUP_RELOAD; break;
-#endif
-
-#ifdef LDAP_CANCELLED
-    case LDAP_CANCELLED: ec = GPG_ERR_LDAP_CANCELLED; break;
-#endif
-
-#ifdef LDAP_NO_SUCH_OPERATION
-    case LDAP_NO_SUCH_OPERATION: ec = GPG_ERR_LDAP_NO_SUCH_OPERATION; break;
-#endif
-
-#ifdef LDAP_TOO_LATE
-    case LDAP_TOO_LATE: ec = GPG_ERR_LDAP_TOO_LATE; break;
-#endif
-
-#ifdef LDAP_CANNOT_CANCEL
-    case LDAP_CANNOT_CANCEL: ec = GPG_ERR_LDAP_CANNOT_CANCEL; break;
-#endif
-
-#ifdef LDAP_ASSERTION_FAILED
-    case LDAP_ASSERTION_FAILED: ec = GPG_ERR_LDAP_ASSERTION_FAILED; break;
-#endif
-
-#ifdef LDAP_PROXIED_AUTHORIZATION_DENIED
-    case LDAP_PROXIED_AUTHORIZATION_DENIED:
-                                      ec = GPG_ERR_LDAP_PROX_AUTH_DENIED; break;
-#endif
-
-    default:
-#if defined(LDAP_E_ERROR) && defined(LDAP_X_ERROR)
-      if (LDAP_E_ERROR (code))
-        ec = GPG_ERR_LDAP_E_GENERAL;
-      else if (LDAP_X_ERROR (code))
-        ec = GPG_ERR_LDAP_X_GENERAL;
-      else
-#endif
-        ec = GPG_ERR_LDAP_GENERAL;
-      break;
-    }
-
-  return ec;
-}
-
-/* Retrieve an LDAP error and return it's GPG equivalent.  */
-static int
-ldap_to_gpg_err (LDAP *ld)
-{
-#if defined(HAVE_LDAP_GET_OPTION) && defined(LDAP_OPT_ERROR_NUMBER)
-  int err;
-
-  if (ldap_get_option (ld, LDAP_OPT_ERROR_NUMBER, &err) == 0)
-    return ldap_err_to_gpg_err (err);
-  else
-    return GPG_ERR_GENERAL;
-#elif defined(HAVE_LDAP_LD_ERRNO)
-  return ldap_err_to_gpg_err (ld->ld_errno);
-#else
-  /* We should never get here since the LDAP library should always
-     have either ldap_get_option or ld_errno, but just in case... */
-  return GPG_ERR_INTERNAL;
-#endif
-}
 
 static time_t
 ldap2epochtime (const char *timestr)
@@ -1829,7 +1651,7 @@ uncescape (char *str)
 	  && hexdigitp (str + r + 3))
 	{
 	  int x = hextobyte (&str[r + 2]);
-	  assert (0 <= x && x <= 0xff);
+	  log_assert (0 <= x && x <= 0xff);
 
 	  str[w] = x;
 
@@ -2202,8 +2024,8 @@ ks_ldap_put (ctrl_t ctrl, parsed_uri_t uri,
     {
       dump = es_fopen("/tmp/modlist.txt", "w");
       if (! dump)
-	log_error ("Failed to open /tmp/modlist.txt: %s\n",
-		   strerror (errno));
+	log_error ("failed to open /tmp/modlist.txt: %s\n",
+		   gpg_strerror (gpg_error_from_syserror ()));
 
       if (dump)
 	{
diff --git a/dirmngr/ldap-misc.c b/dirmngr/ldap-misc.c
new file mode 100644
index 000000000..42f9c7afc
--- /dev/null
+++ b/dirmngr/ldap-misc.c
@@ -0,0 +1,332 @@
+/* ldap-misc.c - Miscellaneous helpers for LDAP functions
+ * Copyright (C) 2015, 2021 g10 Code GmbH
+ *
+ * This file is part of GnuPG.
+ *
+ * GnuPG is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * GnuPG is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <https://www.gnu.org/licenses/>.
+ * SPDX-License-Identifier: GPL-3.0-or-later
+ */
+
+#include <config.h>
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+
+#include "dirmngr-err.h"
+#include "../common/util.h"
+#include "ldap-misc.h"
+
+
+/* Convert an LDAP error to a GPG error.  */
+gpg_err_code_t
+ldap_err_to_gpg_err (int code)
+{
+  gpg_err_code_t ec;
+
+  switch (code)
+    {
+#ifdef LDAP_X_CONNECTING
+    case LDAP_X_CONNECTING: ec = GPG_ERR_LDAP_X_CONNECTING; break;
+#endif
+
+    case LDAP_REFERRAL_LIMIT_EXCEEDED: ec = GPG_ERR_LDAP_REFERRAL_LIMIT; break;
+    case LDAP_CLIENT_LOOP: ec = GPG_ERR_LDAP_CLIENT_LOOP; break;
+    case LDAP_NO_RESULTS_RETURNED: ec = GPG_ERR_LDAP_NO_RESULTS; break;
+    case LDAP_CONTROL_NOT_FOUND: ec = GPG_ERR_LDAP_CONTROL_NOT_FOUND; break;
+    case LDAP_NOT_SUPPORTED: ec = GPG_ERR_LDAP_NOT_SUPPORTED; break;
+    case LDAP_CONNECT_ERROR: ec = GPG_ERR_LDAP_CONNECT; break;
+    case LDAP_NO_MEMORY: ec = GPG_ERR_LDAP_NO_MEMORY; break;
+    case LDAP_PARAM_ERROR: ec = GPG_ERR_LDAP_PARAM; break;
+    case LDAP_USER_CANCELLED: ec = GPG_ERR_LDAP_USER_CANCELLED; break;
+    case LDAP_FILTER_ERROR: ec = GPG_ERR_LDAP_FILTER; break;
+    case LDAP_AUTH_UNKNOWN: ec = GPG_ERR_LDAP_AUTH_UNKNOWN; break;
+    case LDAP_TIMEOUT: ec = GPG_ERR_LDAP_TIMEOUT; break;
+    case LDAP_DECODING_ERROR: ec = GPG_ERR_LDAP_DECODING; break;
+    case LDAP_ENCODING_ERROR: ec = GPG_ERR_LDAP_ENCODING; break;
+    case LDAP_LOCAL_ERROR: ec = GPG_ERR_LDAP_LOCAL; break;
+    case LDAP_SERVER_DOWN: ec = GPG_ERR_LDAP_SERVER_DOWN; break;
+
+    case LDAP_SUCCESS: ec = GPG_ERR_LDAP_SUCCESS; break;
+
+    case LDAP_OPERATIONS_ERROR: ec = GPG_ERR_LDAP_OPERATIONS; break;
+    case LDAP_PROTOCOL_ERROR: ec = GPG_ERR_LDAP_PROTOCOL; break;
+    case LDAP_TIMELIMIT_EXCEEDED: ec = GPG_ERR_LDAP_TIMELIMIT; break;
+    case LDAP_SIZELIMIT_EXCEEDED: ec = GPG_ERR_LDAP_SIZELIMIT; break;
+    case LDAP_COMPARE_FALSE: ec = GPG_ERR_LDAP_COMPARE_FALSE; break;
+    case LDAP_COMPARE_TRUE: ec = GPG_ERR_LDAP_COMPARE_TRUE; break;
+    case LDAP_AUTH_METHOD_NOT_SUPPORTED: ec=GPG_ERR_LDAP_UNSUPPORTED_AUTH;break;
+    case LDAP_STRONG_AUTH_REQUIRED: ec = GPG_ERR_LDAP_STRONG_AUTH_RQRD; break;
+    case LDAP_PARTIAL_RESULTS: ec = GPG_ERR_LDAP_PARTIAL_RESULTS; break;
+    case LDAP_REFERRAL: ec = GPG_ERR_LDAP_REFERRAL; break;
+
+#ifdef LDAP_ADMINLIMIT_EXCEEDED
+    case LDAP_ADMINLIMIT_EXCEEDED: ec = GPG_ERR_LDAP_ADMINLIMIT; break;
+#endif
+
+#ifdef LDAP_UNAVAILABLE_CRITICAL_EXTENSION
+    case LDAP_UNAVAILABLE_CRITICAL_EXTENSION:
+                               ec = GPG_ERR_LDAP_UNAVAIL_CRIT_EXTN; break;
+#endif
+
+    case LDAP_CONFIDENTIALITY_REQUIRED: ec = GPG_ERR_LDAP_CONFIDENT_RQRD; break;
+    case LDAP_SASL_BIND_IN_PROGRESS: ec = GPG_ERR_LDAP_SASL_BIND_INPROG; break;
+    case LDAP_NO_SUCH_ATTRIBUTE: ec = GPG_ERR_LDAP_NO_SUCH_ATTRIBUTE; break;
+    case LDAP_UNDEFINED_TYPE: ec = GPG_ERR_LDAP_UNDEFINED_TYPE; break;
+    case LDAP_INAPPROPRIATE_MATCHING: ec = GPG_ERR_LDAP_BAD_MATCHING; break;
+    case LDAP_CONSTRAINT_VIOLATION: ec = GPG_ERR_LDAP_CONST_VIOLATION; break;
+
+#ifdef LDAP_TYPE_OR_VALUE_EXISTS
+    case LDAP_TYPE_OR_VALUE_EXISTS: ec = GPG_ERR_LDAP_TYPE_VALUE_EXISTS; break;
+#endif
+
+    case LDAP_INVALID_SYNTAX: ec = GPG_ERR_LDAP_INV_SYNTAX; break;
+    case LDAP_NO_SUCH_OBJECT: ec = GPG_ERR_LDAP_NO_SUCH_OBJ; break;
+    case LDAP_ALIAS_PROBLEM: ec = GPG_ERR_LDAP_ALIAS_PROBLEM; break;
+    case LDAP_INVALID_DN_SYNTAX: ec = GPG_ERR_LDAP_INV_DN_SYNTAX; break;
+    case LDAP_IS_LEAF: ec = GPG_ERR_LDAP_IS_LEAF; break;
+    case LDAP_ALIAS_DEREF_PROBLEM: ec = GPG_ERR_LDAP_ALIAS_DEREF; break;
+
+#ifdef LDAP_X_PROXY_AUTHZ_FAILURE
+    case LDAP_X_PROXY_AUTHZ_FAILURE: ec = GPG_ERR_LDAP_X_PROXY_AUTH_FAIL; break;
+#endif
+
+    case LDAP_INAPPROPRIATE_AUTH: ec = GPG_ERR_LDAP_BAD_AUTH; break;
+    case LDAP_INVALID_CREDENTIALS: ec = GPG_ERR_LDAP_INV_CREDENTIALS; break;
+
+#ifdef LDAP_INSUFFICIENT_ACCESS
+    case LDAP_INSUFFICIENT_ACCESS: ec = GPG_ERR_LDAP_INSUFFICIENT_ACC; break;
+#endif
+
+    case LDAP_BUSY: ec = GPG_ERR_LDAP_BUSY; break;
+    case LDAP_UNAVAILABLE: ec = GPG_ERR_LDAP_UNAVAILABLE; break;
+    case LDAP_UNWILLING_TO_PERFORM: ec = GPG_ERR_LDAP_UNWILL_TO_PERFORM; break;
+    case LDAP_LOOP_DETECT: ec = GPG_ERR_LDAP_LOOP_DETECT; break;
+    case LDAP_NAMING_VIOLATION: ec = GPG_ERR_LDAP_NAMING_VIOLATION; break;
+    case LDAP_OBJECT_CLASS_VIOLATION: ec = GPG_ERR_LDAP_OBJ_CLS_VIOLATION; break;
+    case LDAP_NOT_ALLOWED_ON_NONLEAF: ec=GPG_ERR_LDAP_NOT_ALLOW_NONLEAF;break;
+    case LDAP_NOT_ALLOWED_ON_RDN: ec = GPG_ERR_LDAP_NOT_ALLOW_ON_RDN; break;
+    case LDAP_ALREADY_EXISTS: ec = GPG_ERR_LDAP_ALREADY_EXISTS; break;
+    case LDAP_NO_OBJECT_CLASS_MODS: ec = GPG_ERR_LDAP_NO_OBJ_CLASS_MODS; break;
+    case LDAP_RESULTS_TOO_LARGE: ec = GPG_ERR_LDAP_RESULTS_TOO_LARGE; break;
+    case LDAP_AFFECTS_MULTIPLE_DSAS: ec = GPG_ERR_LDAP_AFFECTS_MULT_DSAS; break;
+
+#ifdef LDAP_VLV_ERROR
+    case LDAP_VLV_ERROR: ec = GPG_ERR_LDAP_VLV; break;
+#endif
+
+    case LDAP_OTHER: ec = GPG_ERR_LDAP_OTHER; break;
+
+#ifdef LDAP_CUP_RESOURCES_EXHAUSTED
+    case LDAP_CUP_RESOURCES_EXHAUSTED: ec=GPG_ERR_LDAP_CUP_RESOURCE_LIMIT;break;
+    case LDAP_CUP_SECURITY_VIOLATION: ec=GPG_ERR_LDAP_CUP_SEC_VIOLATION; break;
+    case LDAP_CUP_INVALID_DATA: ec = GPG_ERR_LDAP_CUP_INV_DATA; break;
+    case LDAP_CUP_UNSUPPORTED_SCHEME: ec = GPG_ERR_LDAP_CUP_UNSUP_SCHEME; break;
+    case LDAP_CUP_RELOAD_REQUIRED: ec = GPG_ERR_LDAP_CUP_RELOAD; break;
+#endif
+
+#ifdef LDAP_CANCELLED
+    case LDAP_CANCELLED: ec = GPG_ERR_LDAP_CANCELLED; break;
+#endif
+
+#ifdef LDAP_NO_SUCH_OPERATION
+    case LDAP_NO_SUCH_OPERATION: ec = GPG_ERR_LDAP_NO_SUCH_OPERATION; break;
+#endif
+
+#ifdef LDAP_TOO_LATE
+    case LDAP_TOO_LATE: ec = GPG_ERR_LDAP_TOO_LATE; break;
+#endif
+
+#ifdef LDAP_CANNOT_CANCEL
+    case LDAP_CANNOT_CANCEL: ec = GPG_ERR_LDAP_CANNOT_CANCEL; break;
+#endif
+
+#ifdef LDAP_ASSERTION_FAILED
+    case LDAP_ASSERTION_FAILED: ec = GPG_ERR_LDAP_ASSERTION_FAILED; break;
+#endif
+
+#ifdef LDAP_PROXIED_AUTHORIZATION_DENIED
+    case LDAP_PROXIED_AUTHORIZATION_DENIED:
+                                      ec = GPG_ERR_LDAP_PROX_AUTH_DENIED; break;
+#endif
+
+    default:
+#if defined(LDAP_E_ERROR) && defined(LDAP_X_ERROR)
+      if (LDAP_E_ERROR (code))
+        ec = GPG_ERR_LDAP_E_GENERAL;
+      else if (LDAP_X_ERROR (code))
+        ec = GPG_ERR_LDAP_X_GENERAL;
+      else
+#endif
+        ec = GPG_ERR_LDAP_GENERAL;
+      break;
+    }
+
+  return ec;
+}
+
+
+/* Retrieve an LDAP error and return it's GPG equivalent.  */
+gpg_err_code_t
+ldap_to_gpg_err (LDAP *ld)
+{
+#if defined(HAVE_LDAP_GET_OPTION) && defined(LDAP_OPT_ERROR_NUMBER)
+  int err;
+
+  if (ldap_get_option (ld, LDAP_OPT_ERROR_NUMBER, &err) == 0)
+    return ldap_err_to_gpg_err (err);
+  else
+    return GPG_ERR_GENERAL;
+#elif defined(HAVE_LDAP_LD_ERRNO)
+  return ldap_err_to_gpg_err (ld->ld_errno);
+#else
+  /* We should never get here since the LDAP library should always
+     have either ldap_get_option or ld_errno, but just in case... */
+  return GPG_ERR_INTERNAL;
+#endif
+}
+
+
+
+/* Parse an extended filter syntax as used by dirmngr_ldap.c
+ * For example:
+ *
+ *   ^CN=foo, OU=My Users&(objectClasses=*)
+ *
+ * Uses "CN=foo, OU=My Users" as base DN and "(objectClasses=*)" as
+ * filter.  If the base prefix includes an ampersand, it needs to be
+ * doubled.  The usual escaping rules for DNs (for the base) and
+ * filters apply.  Other examples:
+ *
+ *  ^CN=foo, OU=My Users&
+ *
+ * Use just the base DN.
+ *
+ *  ^CN=foo, OU=My Users&SCOPE&
+ *
+ * Specify the scope which is "base", "one", or "sub".  May of course
+ * also be followed by a filter.
+ *
+ *  ^&SCOPE&(objectClasses=*)
+ *
+ * Give a scope and a filter.  Note that R_SCOPE is only changed if a
+ * STRING has scope parameter.  Setting this initally to -1 allows to
+ * detect this case.
+ */
+gpg_error_t
+ldap_parse_extfilter (const char *string, int silent,
+                      char **r_base, int *r_scope, char **r_filter)
+{
+  gpg_error_t err = 0;
+  char *base = NULL;
+  char *filter = NULL;
+  const char *s;
+  char *p;
+
+  if (r_base)
+    *r_base = NULL;
+  if (r_filter)
+    *r_filter = NULL;
+
+  if (*string == '^')
+    {
+      string++;
+      base = xtrymalloc (strlen (string)+1);
+      if (!base)
+        {
+          err = gpg_error_from_syserror ();
+          goto leave;
+        }
+      for (s=string, p=base; *s; s++)
+        {
+          *p++ = *s;
+          if (*s == '&' && s[1] == '&')
+            s++;  /* Skip quoted ampersand.  */
+          else if (*s == '&')
+            {
+              p--;
+              break;
+            }
+        }
+      *p = 0;
+      if (!*s)
+        {
+          if (!silent)
+            log_info ("LDAP extended filter is not terminated\n");
+          err = gpg_error (GPG_ERR_SYNTAX);
+          goto leave;
+        }
+      string = s + 1;
+    }
+
+  if (!*string)
+    goto leave; /* ready.  */
+
+  if (!strncmp (string, "base&", 5))
+    {
+      string += 5;
+      if (r_scope)
+        *r_scope = LDAP_SCOPE_BASE;
+    }
+  else if (!strncmp (string, "one&", 4))
+    {
+      string += 4;
+      if (r_scope)
+        *r_scope = LDAP_SCOPE_ONELEVEL;
+    }
+  else if (!strncmp (string, "sub&", 4))
+    {
+      string += 4;
+      if (r_scope)
+        *r_scope = LDAP_SCOPE_SUBTREE;
+    }
+
+  if (!*string)
+    goto leave; /* ready.  */
+
+  if (*string != '(')
+    {
+      if (!silent)
+        log_info ("LDAP filter does not start with a left parentheses\n");
+      return gpg_error (GPG_ERR_SYNTAX);
+    }
+  if (string[strlen(string)-1] != ')')
+    {
+      if (!silent)
+        log_info ("LDAP filter does not end with a right parentheses\n");
+      return gpg_error (GPG_ERR_SYNTAX);
+    }
+
+  filter = xtrystrdup (string);
+  if (!filter)
+    err = gpg_error_from_syserror ();
+
+ leave:
+  if (err)
+    {
+      xfree (base);
+      xfree (filter);
+    }
+  else
+    {
+      if (r_base)
+        *r_base = base;
+      else
+        xfree (base);
+      if (r_filter)
+        *r_filter = filter;
+      else
+        xfree (filter);
+    }
+  return err;
+}
diff --git a/dirmngr/ldap-misc.h b/dirmngr/ldap-misc.h
new file mode 100644
index 000000000..d555caf49
--- /dev/null
+++ b/dirmngr/ldap-misc.h
@@ -0,0 +1,43 @@
+/* ldap-misc.h - Miscellaneous helpers for LDAP functions
+ * Copyright (C) 2015, 2021 g10 Code GmbH
+ *
+ * This file is part of GnuPG.
+ *
+ * GnuPG is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * GnuPG is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <https://www.gnu.org/licenses/>.
+ * SPDX-License-Identifier: GPL-3.0-or-later
+ */
+
+#ifndef DIRMNGR_LDAP_MISC_H
+#define DIRMNGR_LDAP_MISC_H
+
+#ifdef _WIN32
+# include <winsock2.h>
+# include <winldap.h>
+#else
+# ifdef NEED_LBER_H
+#  include <lber.h>
+# endif
+/* For OpenLDAP, to enable the API that we're using. */
+# define LDAP_DEPRECATED 1
+# include <ldap.h>
+#endif
+
+
+gpg_err_code_t ldap_err_to_gpg_err (int code);
+gpg_err_code_t ldap_to_gpg_err (LDAP *ld);
+gpg_error_t ldap_parse_extfilter (const char *string, int silent,
+                                  char **r_base, int *r_scope, char **r_filter);
+
+
+#endif /*DIRMNGR_LDAP_MISC_H*/
diff --git a/dirmngr/ldap-wrapper.c b/dirmngr/ldap-wrapper.c
index 31de6e030..629c5c277 100644
--- a/dirmngr/ldap-wrapper.c
+++ b/dirmngr/ldap-wrapper.c
@@ -548,7 +548,7 @@ ldap_reaper_launch_thread (void)
 #ifdef HAVE_W32_SYSTEM
   /* Static init does not yet work in W32 nPth.  */
   if (npth_cond_init (&reaper_run_cond, NULL))
-    log_fatal ("%s: failed to init condition variabale: %s\n",
+    log_fatal ("%s: failed to init condition variable: %s\n",
                __func__, gpg_strerror (gpg_error_from_syserror ()));
 #endif
 
@@ -857,9 +857,9 @@ ldap_wrapper (ctrl_t ctrl, ksba_reader_t *reader, const char *argv[])
   err = gnupg_spawn_process (pgmname, arg_list,
                              NULL, NULL, GNUPG_SPAWN_NONBLOCK,
                              NULL, &outfp, &errfp, &pid);
-  xfree (arg_list);
   if (err)
     {
+  xfree (arg_list);
       xfree (ctx);
       log_error ("error running '%s': %s\n", pgmname, gpg_strerror (err));
       return err;
@@ -878,6 +878,7 @@ ldap_wrapper (ctrl_t ctrl, ksba_reader_t *reader, const char *argv[])
     err = ksba_reader_set_cb (*reader, reader_callback, ctx);
   if (err)
     {
+      xfree (arg_list);
       log_error (_("error initializing reader object: %s\n"),
                  gpg_strerror (err));
       destroy_wrapper (ctx);
@@ -899,8 +900,15 @@ ldap_wrapper (ctrl_t ctrl, ksba_reader_t *reader, const char *argv[])
   unlock_reaper_list ();
 
   if (DBG_EXTPROG)
-    log_debug ("ldap wrapper %d started (%p, %s)\n",
-               (int)ctx->pid, ctx->reader, pgmname);
+    {
+      log_debug ("ldap wrapper %d started (%p, %s)",
+                 (int)ctx->pid, ctx->reader, pgmname);
+      for (i=0; arg_list[i]; i++)
+        log_printf (" [%s]", arg_list[i]);
+      log_printf ("\n");
+    }
+  xfree (arg_list);
+
 
   /* Need to wait for the first byte so we are able to detect an empty
      output and not let the consumer see an EOF without further error
diff --git a/dirmngr/ldap.c b/dirmngr/ldap.c
index 42efcfd49..742403511 100644
--- a/dirmngr/ldap.c
+++ b/dirmngr/ldap.c
@@ -1,12 +1,12 @@
 /* ldap.c - LDAP access
  * Copyright (C) 2002 Klarälvdalens Datakonsult AB
- * Copyright (C) 2003, 2004, 2005, 2007, 2008, 2010 g10 Code GmbH
+ * Copyright (C) 2003, 2004, 2005, 2007, 2008, 2010, 2021 g10 Code GmbH
  *
- * This file is part of DirMngr.
+ * This file is part of GnuPG.
  *
- * DirMngr is free software; you can redistribute it and/or modify
+ * GnuPG is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
+ * the Free Software Foundation; either version 3 of the License, or
  * (at your option) any later version.
  *
  * DirMngr is distributed in the hope that it will be useful,
@@ -15,8 +15,8 @@
  * GNU General Public License for more details.
  *
  * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
+ * along with this program; if not, see <https://www.gnu.org/licenses/>.
+ * SPDX-License-Identifier: GPL-3.0-or-later
  */
 
 #include <config.h>
@@ -36,6 +36,7 @@
 #include "ldapserver.h"
 #include "misc.h"
 #include "ldap-wrapper.h"
+#include "ldap-url.h"
 #include "../common/host2net.h"
 
 
@@ -116,14 +117,15 @@ static gpg_error_t
 run_ldap_wrapper (ctrl_t ctrl,
                   int ignore_timeout,
                   int multi_mode,
+                  int tls_mode,
+                  int ntds,
                   const char *proxy,
                   const char *host, int port,
                   const char *user, const char *pass,
-                  const char *dn, const char *filter, const char *attr,
-                  const char *url,
+                  const char *base, const char *filter, const char *attr,
                   ksba_reader_t *reader)
 {
-  const char *argv[40];
+  const char *argv[50];
   int argc;
   char portbuf[30], timeoutbuf[30];
 
@@ -131,7 +133,7 @@ run_ldap_wrapper (ctrl_t ctrl,
   *reader = NULL;
 
   argc = 0;
-  if (pass)  /* Note, that the password must be the first item.  */
+  if (pass && *pass)  /* Note, that the password must be the first item.  */
     {
       argv[argc++] = "--pass";
       argv[argc++] = pass;
@@ -145,9 +147,18 @@ run_ldap_wrapper (ctrl_t ctrl,
   argv[argc++] = "--log-with-pid";
   if (multi_mode)
     argv[argc++] = "--multi";
+
+  if (tls_mode == 1)
+    argv[argc++] = "--starttls";
+  else if (tls_mode)
+    argv[argc++] = "--ldaptls";
+
+  if (ntds)
+    argv[argc++] = "--ntds";
+
   if (opt.ldaptimeout)
     {
-      sprintf (timeoutbuf, "%u", opt.ldaptimeout);
+      snprintf (timeoutbuf, sizeof timeoutbuf, "%u", opt.ldaptimeout);
       argv[argc++] = "--timeout";
       argv[argc++] = timeoutbuf;
       if (ignore_timeout)
@@ -158,7 +169,7 @@ run_ldap_wrapper (ctrl_t ctrl,
       argv[argc++] = "--proxy";
       argv[argc++] = proxy;
     }
-  if (host)
+  if (host && *host)
     {
       argv[argc++] = "--host";
       argv[argc++] = host;
@@ -169,27 +180,24 @@ run_ldap_wrapper (ctrl_t ctrl,
       argv[argc++] = "--port";
       argv[argc++] = portbuf;
     }
-  if (user)
+  if (user && *user)
     {
       argv[argc++] = "--user";
       argv[argc++] = user;
     }
-  if (dn)
+  if (base && *base)
     {
-      argv[argc++] = "--dn";
-      argv[argc++] = dn;
-    }
-  if (filter)
-    {
-      argv[argc++] = "--filter";
-      argv[argc++] = filter;
+      argv[argc++] = "--base";
+      argv[argc++] = base;
     }
   if (attr)
     {
       argv[argc++] = "--attr";
       argv[argc++] = attr;
     }
-  argv[argc++] = url? url : "ldap://";
+
+  if (filter)
+    argv[argc++] = filter;
   argv[argc] = NULL;
 
   return ldap_wrapper (ctrl, reader, argv);
@@ -202,19 +210,48 @@ run_ldap_wrapper (ctrl_t ctrl,
    reader is returned.  If HOST or PORT are not 0, they are used to
    override the values from the URL. */
 gpg_error_t
-url_fetch_ldap (ctrl_t ctrl, const char *url, const char *host, int port,
-                ksba_reader_t *reader)
+url_fetch_ldap (ctrl_t ctrl, const char *url, ksba_reader_t *reader)
 {
   gpg_error_t err;
+  LDAPURLDesc *ludp = NULL;
+  int tls_mode;
+
+  if (!ldap_is_ldap_url (url))
+    {
+      log_error (_("'%s' is not an LDAP URL\n"), url);
+      return gpg_error (GPG_ERR_INV_URI);
+    }
+
+  if (ldap_url_parse (url, &ludp))
+    {
+      log_error (_("'%s' is an invalid LDAP URL\n"), url);
+      return gpg_error (GPG_ERR_INV_URI);
+    }
+
+  if (ludp->lud_filter && ludp->lud_filter[0] != '(')
+    {
+      log_error (_("'%s' is an invalid LDAP URL\n"), url);
+      err = gpg_error (GPG_ERR_BAD_URI);
+      goto leave;
+    }
+
+  if (ludp->lud_scheme && !strcmp (ludp->lud_scheme, "ldaps"))
+    tls_mode = 2; /* LDAP-over-TLS here becuase we get it from certs. */
+  else
+    tls_mode = 0;
 
   err = run_ldap_wrapper (ctrl,
                           1, /* Ignore explicit timeout because CRLs
                                 might be very large. */
-                          0,
+                          0, /* No Multi-mode.  */
+                          tls_mode,
+                          0, /* No AD authentication.  */
                           opt.ldap_proxy,
-                          host, port,
-                          NULL, NULL,
-                          NULL, NULL, NULL, url,
+                          ludp->lud_host, ludp->lud_port,
+                          NULL, NULL,  /* user, password */
+                          ludp->lud_dn,    /* Base DN */
+                          ludp->lud_filter,
+                          ludp->lud_attrs? ludp->lud_attrs[0] : NULL,
                           reader);
 
   /* FIXME: This option might be used for DoS attacks.  Because it
@@ -223,17 +260,8 @@ url_fetch_ldap (ctrl_t ctrl, const char *url, const char *host, int port,
      turn. */
   if (!err && opt.add_new_ldapservers && !opt.ldap_proxy)
     {
-      if (host)
-        add_server_to_servers (host, port);
-      else if (url)
-        {
-          char *tmp = host_and_port_from_url (url, &port);
-          if (tmp)
-            {
-              add_server_to_servers (tmp, port);
-              xfree (tmp);
-            }
-        }
+      if (ludp->lud_host)
+        add_server_to_servers (ludp->lud_host, ludp->lud_port);
     }
 
   /* If the lookup failed and we are not only using the proxy, we try
@@ -252,19 +280,32 @@ url_fetch_ldap (ctrl_t ctrl, const char *url, const char *host, int port,
         {
 	  ldap_server_t server = iter.server;
 
+          if (server->starttls)
+            tls_mode = 1;
+          else if (server->ldap_over_tls)
+            tls_mode = 2;
+          else
+            tls_mode = 0;
+
           err = run_ldap_wrapper (ctrl,
                                   0,
-                                  0,
+                                  0, /* No Multi-mode */
+                                  tls_mode,
+                                  server->ntds,
                                   NULL,
                                   server->host, server->port,
-                                  NULL, NULL,
-                                  NULL, NULL, NULL, url,
+                                  server->user, server->pass,
+                                  server->base,
+                                  ludp->lud_filter,
+                                  ludp->lud_attrs? ludp->lud_attrs[0] : NULL,
                                   reader);
           if (!err)
             break;
         }
     }
 
+ leave:
+  ldap_free_urldesc (ludp);
   return err;
 }
 
@@ -281,20 +322,32 @@ attr_fetch_ldap (ctrl_t ctrl,
 
   *reader = NULL;
 
-  /* FIXME; we might want to look at the Base SN to try matching
+  /* FIXME; we might want to look at the Base DN to try matching
      servers first. */
   for (ldapserver_iter_begin (&iter, ctrl); ! ldapserver_iter_end_p (&iter);
        ldapserver_iter_next (&iter))
     {
       ldap_server_t server = iter.server;
+      int tls_mode;
+
+      if (server->starttls)
+        tls_mode = 1;
+      else if (server->ldap_over_tls)
+        tls_mode = 2;
+      else
+        tls_mode = 0;
 
       err = run_ldap_wrapper (ctrl,
                               0,
                               0,
+                              tls_mode,
+                              server->ntds,
                               opt.ldap_proxy,
                               server->host, server->port,
                               server->user, server->pass,
-                              dn, "objectClass=*", attr, NULL,
+                              dn,
+                              "(objectClass=*)",
+                              attr,
                               reader);
       if (!err)
         break; /* Probably found a result. Ready. */
@@ -302,46 +355,144 @@ attr_fetch_ldap (ctrl_t ctrl,
   return err;
 }
 
+
 
-/* Parse PATTERN and return a new strlist to be used for the actual
-   LDAP query.  Bit 0 of the flags field is set if that pattern is
-   actually a base specification.  Caller must release the returned
-   strlist.  NULL is returned on error.
-
- * Possible patterns:
- *
- *   KeyID
- *   Fingerprint
- *   OpenPGP userid
- * x Email address  Indicated by a left angle bracket.
- *   Exact word match in user id or subj. name
- * x Subj. DN  indicated bu a leading slash
- *   Issuer DN
- *   Serial number + subj. DN
- * x Substring match indicated by a leading '*; is also the default.
- */
-
-strlist_t
-parse_one_pattern (const char *pattern)
+/* Return true if VALUE needs escaping.  */
+static int
+rfc2254_need_escape (const char *value)
 {
-  strlist_t result = NULL;
-  char *p;
+  /* NUL needs to be escaped as well but we can represent that in
+   * VALUE, so no need for it.  */
+  return !!strpbrk (value, "*()\\");
+}
+
+/* Escape VALUE using RFC-2254 rules.  Returns NULL on error. */
+static char *
+rfc2254_escape (const char *value)
+{
+  const char *s;
+  char *buffer, *p;
+  size_t length = 0;
+
+  for (s=value; *s; s++)
+    switch (*s)
+      {
+      case '*':
+      case '(':
+      case ')':
+      case '\\': length += 3; break;
+      default:   length++; break;
+      }
+
+  buffer = xtrymalloc (length+1);
+  if (!buffer)
+    return NULL;
+  p = buffer;
+  for (s=value; *s; s++)
+    switch (*s)
+      {
+      case '*':  p = stpcpy (p, "\\2a"); break;
+      case '(':  p = stpcpy (p, "\\28"); break;
+      case ')':  p = stpcpy (p, "\\29"); break;
+      case '\\': p = stpcpy (p, "\\5c"); break;
+      default:   *p++ = *s; break;
+      }
+  *p = 0;
+  return buffer;
+}
+
+
+/* Return true if VALUE needs escaping.  */
+static int
+extfilt_need_escape (const char *value)
+{
+  /* NUL needs to be escaped as well but we can represent that in
+   * VALUE, so no need for it.  */
+  return !!strchr (value, '&');
+}
+
+/* Escape VALUE using our extended filter rules from dirmngr_ldap.c.
+ * Returns NULL on error. */
+static char *
+extfilt_escape (const char *value)
+{
+  const char *s;
+  char *buffer, *p;
+  size_t length = 0;
+
+  for (s=value; *s; s++)
+    {
+      length++;
+      if (*s == '&')
+        length++;
+    }
+
+  buffer = xtrymalloc (length+1);
+  if (!buffer)
+    return NULL;
+  p = buffer;
+  for (s=value; *s; s++)
+    {
+      *p++ = *s;
+      if (*s == '&')
+        *p++ = '&';
+    }
+  *p = 0;
+  return buffer;
+}
+
+
+/* Parse PATTERN and return a new filter expression for an LDAP query.
+ * The extended filter syntax as known by dirmngr_ldap.c is used.
+ * Caller must release the returned value.  R_RESULT is set to NULL on
+ * error.
+ *
+ * Supported patterns:
+ *
+ *  | Ok  | gpg style user id type                               |
+ *  |-----+------------------------------------------------------|
+ *  | no  | KeyID                                                |
+ *  | no  | Fingerprint                                          |
+ *  | no  | OpenPGP userid                                       |
+ *  | yes | Email address  Indicated by a left angle bracket.    |
+ *  | no  | Exact word match in user id or subj. name            |
+ *  | yes | Subj. DN  indicated by a leading slash               |
+ *  | no  | Issuer DN                                            |
+ *  | no  | Serial number + subj. DN                             |
+ *  | yes | Substring match indicated by a leading '*; (default) |
+ */
+static gpg_error_t
+make_one_filter (const char *pattern, char **r_result)
+{
+  gpg_error_t err = 0;
+  char *pattern_buffer = NULL;
+  char *result = NULL;
+  size_t n;
+
+  *r_result = NULL;
 
   switch (*pattern)
     {
     case '<':			/* Email. */
       {
         pattern++;
-	result = xmalloc (sizeof *result + 5 + strlen (pattern));
-        result->next = NULL;
-        result->flags = 0;
-	p = stpcpy (stpcpy (result->d, "mail="), pattern);
-	if (p[-1] == '>')
-	  *--p = 0;
-        if (!*result->d) /* Error. */
+        if (rfc2254_need_escape (pattern)
+            && !(pattern = pattern_buffer = rfc2254_escape (pattern)))
           {
-            xfree (result);
-            result = NULL;
+            err = gpg_error_from_syserror ();
+            goto leave;
+          }
+        result = strconcat ("(mail=", pattern, ")", NULL);
+        if (!result)
+          {
+            err = gpg_error_from_syserror ();
+            goto leave;
+          }
+        n = strlen (result);
+        if (result[n-2] == '>') /* Strip trailing '>' */
+          {
+            result[n-2] = ')';
+            result[n-1] = 0;
           }
 	break;
       }
@@ -349,125 +500,86 @@ parse_one_pattern (const char *pattern)
       pattern++;
       if (*pattern)
         {
-          result = xmalloc (sizeof *result + strlen (pattern));
-          result->next = NULL;
-          result->flags = 1; /* Base spec. */
-          strcpy (result->d, pattern);
+          /* We need just the BaseDN.  This assumes that the Subject
+           * is correcly stored in the DT.  This is however not always
+           * the case and the actual DN is different ffrom the
+           * subject.  In this case we won't find anything.  */
+          if (extfilt_need_escape (pattern)
+              && !(pattern = pattern_buffer = extfilt_escape (pattern)))
+            {
+              err = gpg_error_from_syserror ();
+              goto leave;
+            }
+          result = strconcat ("^", pattern, "&base&", NULL);
+          if (!result)
+            {
+              err = gpg_error_from_syserror ();
+              goto leave;
+            }
         }
       break;
-    case '#':			/* Issuer DN. */
+    case '#':			/* Issuer DN - Not yet working. */
       pattern++;
       if (*pattern == '/')  /* Just issuer DN. */
         {
           pattern++;
+          if (extfilt_need_escape (pattern)
+              && !(pattern = pattern_buffer = extfilt_escape (pattern)))
+            {
+              err = gpg_error_from_syserror ();
+              goto leave;
+            }
+          result = strconcat ("^", pattern, "&base&", NULL);
+          if (!result)
+            {
+              err = gpg_error_from_syserror ();
+              goto leave;
+            }
 	}
       else  /* Serial number + issuer DN */
 	{
+
         }
       break;
     case '*':
       pattern++;
       /* fall through */
     default:			/* Take as substring match. */
-      {
-	const char format[] = "(|(sn=*%s*)(|(cn=*%s*)(mail=*%s*)))";
-
-        if (*pattern)
-          {
-            result = xmalloc (sizeof *result
-                              + strlen (format) + 3 * strlen (pattern));
-            result->next = NULL;
-            result->flags = 0;
-            sprintf (result->d, format, pattern, pattern, pattern);
-          }
-      }
+      if (*pattern)
+        {
+          if (rfc2254_need_escape (pattern)
+              && !(pattern = pattern_buffer = rfc2254_escape (pattern)))
+            {
+              err = gpg_error_from_syserror ();
+              goto leave;
+            }
+          result = strconcat ("(|(sn=*", pattern,
+                              "*)(|(cn=*", pattern,
+                              "*)(mail=*", pattern,
+                              "*)))", NULL);
+          if (!result)
+            {
+              err = gpg_error_from_syserror ();
+              goto leave;
+            }
+        }
       break;
     }
 
-  return result;
-}
+  if (!result)
+    err = gpg_error (GPG_ERR_INV_USER_ID);
 
-/* Take the string STRING and escape it according to the URL rules.
-   Return a newly allocated string. */
-static char *
-escape4url (const char *string)
-{
-  const char *s;
-  char *buf, *p;
-  size_t n;
-
-  if (!string)
-    string = "";
-
-  for (s=string,n=0; *s; s++)
-    if (strchr (UNENCODED_URL_CHARS, *s))
-      n++;
-    else
-      n += 3;
-
-  buf = malloc (n+1);
-  if (!buf)
-    return NULL;
-
-  for (s=string,p=buf; *s; s++)
-    if (strchr (UNENCODED_URL_CHARS, *s))
-      *p++ = *s;
-    else
-      {
-        sprintf (p, "%%%02X", *(const unsigned char *)s);
-        p += 3;
-      }
-  *p = 0;
-
-  return buf;
-}
-
-
-
-/* Create a LDAP URL from DN and FILTER and return it in URL.  We don't
-   need the host and port because this will be specified using the
-   override options. */
-static gpg_error_t
-make_url (char **url, const char *dn, const char *filter)
-{
-  gpg_error_t err;
-  char *u_dn, *u_filter;
-  char const attrs[] = (USERCERTIFICATE ","
-                        /* In 2005 wk mentioned in the changelog that
-                         * work on the userSMIMECertificate has
-                         * started but it seems that no further
-                         * progress was made or the whole thing was
-                         * simply forgotten.  */
-                        /* USERSMIMECERTIFICATE "," */
-                        CACERTIFICATE ","
-                        X509CACERT );
-
-  *url = NULL;
-
-  u_dn = escape4url (dn);
-  if (!u_dn)
-      return gpg_error_from_errno (errno);
-
-  u_filter = escape4url (filter);
-  if (!u_filter)
-    {
-      err = gpg_error_from_errno (errno);
-      xfree (u_dn);
-      return err;
-    }
-
-  *url = strconcat ("ldap:///", u_dn, "?", attrs, "?sub?", u_filter, NULL);
-  if (!*url)
-    err = gpg_error_from_syserror ();
+ leave:
+  xfree (pattern_buffer);
+  if (err)
+    xfree (result);
   else
-    err = 0;
-
-  xfree (u_dn);
-  xfree (u_filter);
+    *r_result = result;
   return err;
 }
 
 
+
 /* Prepare an LDAP query to return the cACertificate attribute for DN.
  * All configured default servers are queried until one responds.
  * This function returns an error code or 0 and stored a newly
@@ -483,7 +595,7 @@ start_cacert_fetch_ldap (ctrl_t ctrl, cert_fetch_context_t *r_context,
   if (!*r_context)
     return gpg_error_from_errno (errno);
 
-  /* FIXME; we might want to look at the Base SN to try matching
+  /* FIXME; we might want to look at the Base DN to try matching
      servers first. */
   err = gpg_error (GPG_ERR_CONFIGURATION);
 
@@ -495,10 +607,12 @@ start_cacert_fetch_ldap (ctrl_t ctrl, cert_fetch_context_t *r_context,
       err = run_ldap_wrapper (ctrl,
                               0,
                               1,  /* --multi (record format) */
+                              0, /* No TLS */
+                              0, /* No AD authentication.  */
                               opt.ldap_proxy,
                               server->host, server->port,
                               server->user, server->pass,
-                              dn, "objectClass=*", "cACertificate", NULL,
+                              dn, "objectClass=*", "cACertificate",
                               &(*r_context)->reader);
       if (!err)
         break; /* Probably found a result. */
@@ -526,12 +640,12 @@ start_cert_fetch_ldap (ctrl_t ctrl, cert_fetch_context_t *r_context,
   int port;
   char *user = NULL;
   char *pass = NULL;
-  const char *base;
+  char *base = NULL;
   char *argv[50];
   int argc = 0;
   int argc_malloced = 0;
   char portbuf[30], timeoutbuf[30];
-  int use_ldaps = 0;
+  int starttls, ldaptls, ntds;
 
   *r_context = NULL;
 
@@ -559,19 +673,24 @@ start_cert_fetch_ldap (ctrl_t ctrl, cert_fetch_context_t *r_context,
           err = gpg_error_from_syserror ();
           goto leave;
         }
-      base = server->base;
-      use_ldaps = server->ldap_over_tls;
+      if (server->base && !(base = xtrystrdup (server->base)))
+        {
+          err = gpg_error_from_syserror ();
+          goto leave;
+        }
+
+      starttls = server->starttls;
+      ldaptls  =  server->ldap_over_tls;
+      ntds     = server->ntds;
     }
   else /* Use a default server. */
     {
-      xfree (proxy);
-      return gpg_error (GPG_ERR_NOT_IMPLEMENTED);
+      err = gpg_error (GPG_ERR_NOT_IMPLEMENTED);
+      goto leave;
     }
 
-  if (!base)
-    base = "";
 
-  if (pass) /* Note: Must be the first item. */
+  if (pass && *pass) /* Note: Must be the first item. */
     {
       argv[argc++] = "--pass";
       argv[argc++] = pass;
@@ -584,20 +703,27 @@ start_cert_fetch_ldap (ctrl_t ctrl, cert_fetch_context_t *r_context,
 
   argv[argc++] = "--log-with-pid";
   argv[argc++] = "--multi";
+
+  if (starttls)
+    argv[argc++] = "--starttls";
+  else if (ldaptls)
+    argv[argc++] = "--ldaptls";
+
+  if (ntds)
+    argv[argc++] = "--ntds";
+
   if (opt.ldaptimeout)
     {
       snprintf (timeoutbuf, sizeof timeoutbuf, "%u", opt.ldaptimeout);
       argv[argc++] = "--timeout";
       argv[argc++] = timeoutbuf;
     }
-  if (opt.ldap_proxy)
+  if (proxy && *proxy)
     {
       argv[argc++] = "--proxy";
       argv[argc++] = proxy;
     }
-  if (use_ldaps)
-    argv[argc++] = "--tls";
-  if (host)
+  if (host && *host)
     {
       argv[argc++] = "--host";
       argv[argc++] = host;
@@ -608,56 +734,49 @@ start_cert_fetch_ldap (ctrl_t ctrl, cert_fetch_context_t *r_context,
       argv[argc++] = "--port";
       argv[argc++] = portbuf;
     }
-  if (user)
+  if (user && *user)
     {
       argv[argc++] = "--user";
       argv[argc++] = user;
     }
+  if (base && *base)
+    {
+      argv[argc++] = "--base";
+      argv[argc++] = base;
+    }
+
 
   /* All entries in argv from this index on are malloc'ed.  */
   argc_malloced = argc;
 
   for (; patterns; patterns = patterns->next)
     {
-      strlist_t sl;
-      char *url;
-
       if (argc >= DIM (argv) - 1)
         {
           /* Too many patterns.  It does not make sense to allow an
              arbitrary number of patters because the length of the
              command line is limited anyway.  */
-          /* fixme: cleanup. */
-          return gpg_error (GPG_ERR_RESOURCE_LIMIT);
-        }
-      sl = parse_one_pattern (patterns->d);
-      if (!sl)
-        {
-          log_error (_("start_cert_fetch: invalid pattern '%s'\n"),
-                     patterns->d);
-          err = gpg_error (GPG_ERR_INV_USER_ID);
+          err = gpg_error (GPG_ERR_RESOURCE_LIMIT);
           goto leave;
         }
-      if ((sl->flags & 1))
-        err = make_url (&url, sl->d, "objectClass=*");
-      else
-        err = make_url (&url, base, sl->d);
-      free_strlist (sl);
-      if (err)
-        goto leave;
-      argv[argc++] = url;
+      if (*patterns->d)
+        {
+          err = make_one_filter (patterns->d, &argv[argc]);
+          if (err)
+            goto leave;
+          argc++;
+        }
     }
   argv[argc] = NULL;
 
   *r_context = xtrycalloc (1, sizeof **r_context);
   if (!*r_context)
     {
-      err = gpg_error_from_errno (errno);
+      err = gpg_error_from_syserror ();
       goto leave;
     }
 
   err = ldap_wrapper (ctrl, &(*r_context)->reader, (const char**)argv);
-
   if (err)
     {
       xfree (*r_context);
@@ -669,6 +788,7 @@ start_cert_fetch_ldap (ctrl_t ctrl, cert_fetch_context_t *r_context,
     xfree (argv[argc_malloced]);
   xfree (proxy);
   xfree (host);
+  xfree (base);
   xfree (user);
   xfree (pass);
   return err;
diff --git a/dirmngr/server.c b/dirmngr/server.c
index cd6cfa912..2880dcb47 100644
--- a/dirmngr/server.c
+++ b/dirmngr/server.c
@@ -1672,7 +1672,8 @@ lookup_cert_by_pattern (assuan_context_t ctx, char *line,
           if (!err && single)
             goto ready;
 
-          if (gpg_err_code (err) == GPG_ERR_NO_DATA)
+          if (gpg_err_code (err) == GPG_ERR_NO_DATA
+              || gpg_err_code (err) == GPG_ERR_NOT_FOUND)
             {
               err = 0;
               if (cache_only)
diff --git a/dirmngr/t-ldap-misc.c b/dirmngr/t-ldap-misc.c
new file mode 100644
index 000000000..afba1025f
--- /dev/null
+++ b/dirmngr/t-ldap-misc.c
@@ -0,0 +1,158 @@
+/* t-ldap-parse-uri.c - Tests for ldap-parse-uri.c and ldap-misc.c
+ * Copyright (C) 2015  g10 Code GmbH
+ *
+ * This file is part of GnuPG.
+ *
+ * GnuPG is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * GnuPG is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <https://www.gnu.org/licenses/>.
+ */
+
+#include <config.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <gpg-error.h>
+
+#include "../common/util.h"
+#include "t-support.h"
+#include "ldap-misc.h"
+
+
+static void
+test_ldap_parse_extfilter (void)
+{
+  struct {
+    const char *string;
+    const char *base;
+    const char *filter;
+    int scope;
+    gpg_err_code_t ec;
+  } tests[] =
+  {
+   { "^CN=foo, OU=My Users&(objectClasses=*)",
+     "CN=foo, OU=My Users", "(objectClasses=*)",
+     -1 },
+   { "^CN=foo, OU=My Users&base&(objectClasses=*)",
+     "CN=foo, OU=My Users", "(objectClasses=*)",
+     LDAP_SCOPE_BASE },
+   { "^CN=foo, OU=My Users&one&(objectClasses=*)",
+     "CN=foo, OU=My Users", "(objectClasses=*)",
+     LDAP_SCOPE_ONELEVEL },
+   { "^CN=foo, OU=My Users&sub&(objectClasses=*)",
+     "CN=foo, OU=My Users", "(objectClasses=*)",
+     LDAP_SCOPE_SUBTREE },
+   /* { "^CN=foo, OU=My Users&children&(objectClasses=*)", */
+   /*   "CN=foo, OU=My Users", "(objectClasses=*)", */
+   /*   LDAP_SCOPE_CHILDREN }, */
+   { "^CN=foo, OU=My Users&",
+     "CN=foo, OU=My Users", NULL,
+     -1 },
+   { "^CN=foo, OU=My Users&sub&",
+     "CN=foo, OU=My Users", NULL,
+     LDAP_SCOPE_SUBTREE },
+   /* { "^&children&(objectClasses=*)", */
+   /*   "", "(objectClasses=*)", */
+   /*   LDAP_SCOPE_CHILDREN }, */
+   { "^CN=foo, OU=My &&Users&base&(objectClasses=*)",
+     "CN=foo, OU=My &Users", "(objectClasses=*)",
+     LDAP_SCOPE_BASE },
+   { "^CN=foo, OU=My Users&&&base&(objectClasses=*)",
+     "CN=foo, OU=My Users&", "(objectClasses=*)",
+     LDAP_SCOPE_BASE },
+   { "^CN=foo, OU=My Users",
+     NULL, NULL,
+     LDAP_SCOPE_BASE, GPG_ERR_SYNTAX },
+   { "^CN=foo, OU=My Users&base(objectClasses=*)",
+     NULL, NULL,
+     LDAP_SCOPE_BASE, GPG_ERR_SYNTAX },
+   { "^CN=foo, OU=My Users&base&objectClasses=*)",
+     NULL, NULL,
+     LDAP_SCOPE_BASE, GPG_ERR_SYNTAX },
+   { "^CN=foo, OU=My Users&base&(objectClasses=*",
+     NULL, NULL,
+     LDAP_SCOPE_BASE, GPG_ERR_SYNTAX }
+  };
+  int idx;
+  gpg_error_t err;
+  int errcount = 0;
+  char *base, *filter;
+  int scope;
+
+  for (idx= 0; idx < DIM (tests); idx++)
+    {
+      scope = -1;
+      err = ldap_parse_extfilter (tests[idx].string, 1, &base, &scope, &filter);
+      if (err && tests[idx].ec)
+        {
+          if (gpg_err_code (err) != tests[idx].ec)
+            {
+              fprintf (stderr, "%s: test %d failed: wrong error code %d\n",
+                       __func__, idx, err);
+              errcount++;
+            }
+          continue;
+        }
+      if (err)
+        {
+          fprintf (stderr, "%s: test %d failed: %s\n",
+                   __func__, idx, gpg_strerror (err));
+          errcount++;
+          continue;
+        }
+      if (tests[idx].ec)
+        {
+          fprintf (stderr, "%s: test %d failed: error not detected\n",
+                   __func__, idx);
+          errcount++;
+          continue;
+        }
+      if ((!tests[idx].base ^ !base)
+          || (tests[idx].base && strcmp (tests[idx].base, base)))
+        {
+          fprintf (stderr, "%s: test %d failed: base mismatch ('%s')\n",
+                   __func__, idx, base? base : "(null");
+          errcount++;
+        }
+      if ((!tests[idx].filter ^ !filter)
+          || (tests[idx].filter && strcmp (tests[idx].filter, filter)))
+        {
+          fprintf (stderr, "%s: test %d failed: filter mismatch ('%s')\n",
+                   __func__, idx, filter? filter : "(null");
+          errcount++;
+        }
+      if (tests[idx].scope != scope)
+        {
+          fprintf (stderr, "%s: test %d failed: scope mismatch (%d)\n",
+                   __func__, idx, scope);
+          errcount++;
+        }
+      xfree (base);
+      xfree (filter);
+    }
+  if (errcount)
+    exit (1);
+}
+
+
+
+
+int
+main (int argc, char **argv)
+{
+  (void)argc;
+  (void)argv;
+
+  test_ldap_parse_extfilter ();
+
+  return 0;
+}
diff --git a/dirmngr/t-support.h b/dirmngr/t-support.h
index f773f1efb..7f60c942b 100644
--- a/dirmngr/t-support.h
+++ b/dirmngr/t-support.h
@@ -31,6 +31,12 @@
 #ifndef DIRMNGR_T_SUPPORT_H
 #define DIRMNGR_T_SUPPORT_H 1
 
+#ifndef DIM
+# define DIM(v)		     (sizeof(v)/sizeof((v)[0]))
+# define DIMof(type,member)   DIM(((type *)0)->member)
+#endif
+
+
 /* Macros to print the result of a test.  */
 #define pass()  do { ; } while(0)
 #define fail(a)  do { fprintf (stderr, "%s:%d: test %d failed\n",\