diff --git a/configure.ac b/configure.ac
index af24f1c4fdb5..688bdadf5933 100644
--- a/configure.ac
+++ b/configure.ac
@@ -10653,14 +10653,14 @@ dnl ===================================================================
 
 if test "$test_openldap" = yes; then
     AC_MSG_CHECKING([whether to enable LDAP support])
-    if test "$enable_ldap" = yes -a \( "$ENABLE_NSS" = TRUE -o "$with_system_openldap" = yes \); then
+    if test "$enable_ldap" = yes -a \( "$enable_openssl" = yes -o "$with_system_openldap" = yes \); then
         AC_MSG_RESULT([yes])
         ENABLE_LDAP=TRUE
     else
         if test "$enable_ldap" != "yes"; then
             AC_MSG_RESULT([no])
         else
-            AC_MSG_RESULT([no (needs NSS or system openldap)])
+            AC_MSG_RESULT([no (needs OPENSSL or system openldap)])
         fi
     fi
 
diff --git a/connectivity/Library_postgresql-sdbc-impl.mk b/connectivity/Library_postgresql-sdbc-impl.mk
index 497f5b742ef4..19a61ff92534 100644
--- a/connectivity/Library_postgresql-sdbc-impl.mk
+++ b/connectivity/Library_postgresql-sdbc-impl.mk
@@ -49,9 +49,6 @@ $(eval $(call gb_Library_use_externals,postgresql-sdbc-impl,\
         $(if $(ENABLE_OPENSSL),openssl) \
         $(if $(ENABLE_LDAP), \
             openldap \
-            nss3 \
-            plc4 \
-            ssl3 \
         ) \
     ) \
 ))
diff --git a/download.lst b/download.lst
index fc3a240f5f94..536f73bb6b4f 100644
--- a/download.lst
+++ b/download.lst
@@ -418,8 +418,8 @@ OFFICEOTRON_JAR := 8249374c274932a21846fa7629c2aa9b-officeotron-0.7.4-master.jar
 # three static lines
 # so that git cherry-pick
 # will not run into conflicts
-OPENLDAP_SHA256SUM := 99f37d6747d88206c470067eda624d5e48c1011e943ec0ab217bae8712e22f34
-OPENLDAP_TARBALL := openldap-2.4.59.tgz
+OPENLDAP_SHA256SUM := d51704e50178430c06cf3d8aa174da66badf559747a47d920bb54b2d4aa40991
+OPENLDAP_TARBALL := openldap-2.6.4.tgz
 # three static lines
 # so that git cherry-pick
 # will not run into conflicts
diff --git a/extensions/Library_ldapbe2.mk b/extensions/Library_ldapbe2.mk
index 58ea11b2d0ce..c08ed88f744e 100644
--- a/extensions/Library_ldapbe2.mk
+++ b/extensions/Library_ldapbe2.mk
@@ -46,9 +46,7 @@ else # 0S!=WNT
 $(eval $(call gb_Library_use_externals,ldapbe2,\
 	boost_headers \
 	openldap \
-	nss3 \
-	plc4 \
-	ssl3 \
+	openssl \
 ))
 endif
 
diff --git a/external/openldap/ExternalProject_openldap.mk b/external/openldap/ExternalProject_openldap.mk
index 6914d167b56c..e02a35d9943f 100644
--- a/external/openldap/ExternalProject_openldap.mk
+++ b/external/openldap/ExternalProject_openldap.mk
@@ -9,7 +9,7 @@
 
 $(eval $(call gb_ExternalProject_ExternalProject,openldap))
 
-$(eval $(call gb_ExternalProject_use_externals,openldap,nss3))
+$(eval $(call gb_ExternalProject_use_externals,openldap,openssl))
 
 $(eval $(call gb_ExternalProject_register_targets,openldap,\
 	build \
@@ -25,12 +25,10 @@ openldap_CFLAGS = -D_XOPEN_SOURCE=500 -D_DEFAULT_SOURCE -D_BSD_SOURCE
 endif
 
 openldap_LDFLAGS = $(call gb_ExternalProject_get_link_flags,openldap)
-ifeq ($(SYSTEM_NSS),)
-openldap_LDFLAGS += -L$(call gb_UnpackedTarball_get_dir,nss)/dist/out/lib
+ifeq ($(SYSTEM_OPENSSL),)
+openldap_LDFLAGS += -L$(call gb_UnpackedTarball_get_dir,openssl)
 endif
-# Help openldap's configure determine that it needs -lpthread even if libasan.so
-# contains a pthread_create override:
-ifneq ($(filter -fsanitize=address,$(CC)),)
+ifeq ($(OS),LINUX)
 openldap_LDFLAGS += -pthread
 endif
 
@@ -40,7 +38,7 @@ $(call gb_ExternalProject_get_state_target,openldap,build) :
 		$(gb_RUN_CONFIGURE) ./configure \
 			--disable-slapd \
 			--with-pic \
-			--with-tls=moznss \
+			--with-tls=openssl \
 			--without-cyrus-sasl \
 			--disable-shared \
 			--enable-static \
@@ -49,11 +47,11 @@ $(call gb_ExternalProject_get_state_target,openldap,build) :
 				--with-yielding_select=yes \
 				ac_cv_func_memcmp_working=yes \
 			) \
-			$(if $(SYSTEM_NSS), \
-				CPPFLAGS="$(CPPFLAGS) $(NSS_CFLAGS)" CFLAGS="$(CFLAGS) $(openldap_CFLAGS) $(NSS_CFLAGS) $(call gb_ExternalProject_get_build_flags,openldap)" LDFLAGS="$(LDFLAGS) $(NSS_LIBS)" \
+			$(if $(SYSTEM_OPENSSL), \
+				CPPFLAGS="$(CPPFLAGS) $(OPENSSL_CFLAGS)" CFLAGS="$(CFLAGS) $(openldap_CFLAGS) $(OPENSSL_CFLAGS) $(call gb_ExternalProject_get_build_flags,openldap)" LDFLAGS="$(LDFLAGS) $(openldap_LDFLAGS) $(OPENSSL_LIBS)" \
 				, \
-				CPPFLAGS="$(CPPFLAGS) -I$(call gb_UnpackedTarball_get_dir,nss)/dist/public/nss -I$(call gb_UnpackedTarball_get_dir,nss)/dist/out/include" \
-				CFLAGS="$(CFLAGS) $(openldap_CFLAGS) $(call gb_ExternalProject_get_build_flags,openldap) -I$(call gb_UnpackedTarball_get_dir,nss)/dist/public/nss -I$(call gb_UnpackedTarball_get_dir,nss)/dist/out/include" \
+				CPPFLAGS="$(CPPFLAGS) -I$(call gb_UnpackedTarball_get_dir,openssl)/include" \
+				CFLAGS="$(CFLAGS) $(openldap_CFLAGS) $(call gb_ExternalProject_get_build_flags,openldap) -I$(call gb_UnpackedTarball_get_dir,openssl)/include" \
 			) \
 			$(if $(openldap_LDFLAGS),LDFLAGS="$(LDFLAGS) $(openldap_LDFLAGS)") \
 		&& MAKEFLAGS= && $(MAKE) \
diff --git a/external/openldap/README b/external/openldap/README
index 0c1828c12b93..48da788f5447 100644
--- a/external/openldap/README
+++ b/external/openldap/README
@@ -1,3 +1,3 @@
 OpenLDAP provides an LDAP client library
 
-http://www.openldap.org/
+https://www.openldap.org/
diff --git a/external/openldap/openldap-2.4.44.patch.1 b/external/openldap/openldap-2.4.44.patch.1
index 317ef9a62e56..1521e86a2664 100644
--- a/external/openldap/openldap-2.4.44.patch.1
+++ b/external/openldap/openldap-2.4.44.patch.1
@@ -1,69 +1,4 @@
 -*- Mode: diff -*-
---- openldap.org/configure
-+++ openldap/configure
-@@ -15735,7 +15735,7 @@
-   $as_echo_n "(cached) " >&6
- else
-   ac_check_lib_save_LIBS=$LIBS
--LIBS="-lnss3  $LIBS"
-+LIBS="-lnss3  -lssl3 -lsmime3 -lnss3 -lnssutil3 -lplds4 -lplc4 -lnspr4  $LIBS"
- cat confdefs.h - <<_ACEOF >conftest.$ac_ext
- /* end confdefs.h.  */
- 
---- openldap.org/configure.in
-+++ openldap/configure.in
-@@ -1239,7 +1239,8 @@
- 		AC_CHECK_HEADERS([nssutil.h])
- 		if test "$ac_cv_header_nssutil_h" = yes ; then
- 			AC_CHECK_LIB([nss3], [NSS_Initialize],
--						 [ have_moznss=yes ], [ have_moznss=no ])
-+						 [ have_moznss=yes ], [ have_moznss=no ],
-+						 [ -lssl3 -lsmime3 -lnss3 -lnssutil3 -lplds4 -lplc4 -lnspr4 ])
- 		fi
- 
- 		if test "$have_moznss" = yes ; then
---- openldap.org/libraries/libldap/tls_m.c
-+++ openldap/libraries/libldap/tls_m.c
-@@ -49,17 +49,17 @@
- #include <termios.h> /* for echo on/off */
- #endif
- 
--#include <nspr/nspr.h>
--#include <nspr/private/pprio.h>
--#include <nss/nss.h>
--#include <nss/ssl.h>
--#include <nss/sslerr.h>
--#include <nss/sslproto.h>
--#include <nss/pk11pub.h>
--#include <nss/secerr.h>
--#include <nss/keyhi.h>
--#include <nss/secmod.h>
--#include <nss/cert.h>
-+#include <nspr.h>
-+#include <private/pprio.h>
-+#include <nss.h>
-+#include <ssl.h>
-+#include <sslerr.h>
-+#include <sslproto.h>
-+#include <pk11pub.h>
-+#include <secerr.h>
-+#include <keyhi.h>
-+#include <secmod.h>
-+#include <cert.h>
- 
- #undef NSS_VERSION_INT
- #define	NSS_VERSION_INT	((NSS_VMAJOR << 24) | (NSS_VMINOR << 16) | \
---- openldap.org/libraries/libldap/tls2.c
-+++ openldap.org/libraries/libldap/tls2.c
-@@ -80,6 +80,8 @@
- 	{ BER_BVNULL, BER_BVNULL }
- };
- 
-+int ldap_pvt_tls_check_hostname( LDAP *ld, void *s, const char *name_in );
-+
- #ifdef HAVE_TLS
- 
- void
 --- openldap.org/Makefile.in
 +++ openldap/Makefile.in
 @@ -13,7 +13,7 @@
@@ -82,4 +17,4 @@
 -
 -check: test
 -test: FORCE
--	cd tests; $(MAKE) test
+-	cd tests && $(MAKE) test
diff --git a/external/postgresql/ExternalProject_postgresql.mk b/external/postgresql/ExternalProject_postgresql.mk
index 24e54adf3e0c..1d0a13b6bb03 100644
--- a/external/postgresql/ExternalProject_postgresql.mk
+++ b/external/postgresql/ExternalProject_postgresql.mk
@@ -44,7 +44,7 @@ endif
 ifeq ($(ENABLE_OPENSSL),TRUE)
 ifeq ($(SYSTEM_OPENSSL),)
 postgresql_CPPFLAGS += -I$(call gb_UnpackedTarball_get_dir,openssl)/include
-postgresql_LDFLAGS  += -L$(call gb_UnpackedTarball_get_dir,openssl)/ $(if $(filter $(OS),LINUX),-pthread)
+postgresql_LDFLAGS  += -L$(call gb_UnpackedTarball_get_dir,openssl) $(if $(filter $(OS),LINUX),-pthread)
 endif
 endif
 
@@ -54,8 +54,6 @@ postgresql_LDFLAGS  += \
 	-L$(call gb_UnpackedTarball_get_dir,openldap)/libraries/libldap_r/.libs \
 	-L$(call gb_UnpackedTarball_get_dir,openldap)/libraries/libldap/.libs \
 	-L$(call gb_UnpackedTarball_get_dir,openldap)/libraries/liblber/.libs \
-	$(if $(SYSTEM_NSS),,\
-		-L$(call gb_UnpackedTarball_get_dir,nss)/dist/out/lib) \
 
 endif
 
@@ -76,7 +74,7 @@ $(call gb_ExternalProject_get_state_target,postgresql,build) :
 			CFLAGS="-fPIC" \
 			CPPFLAGS="$(postgresql_CPPFLAGS)" \
 			LDFLAGS="$(postgresql_LDFLAGS)" \
-			$(if $(ENABLE_LDAP),EXTRA_LDAP_LIBS="-llber -lssl3 -lsmime3 -lnss3 -lnssutil3 -lplds4 -lplc4 -lnspr4") \
+			$(if $(ENABLE_LDAP),EXTRA_LDAP_LIBS="-llber") \
 		&& cd src/interfaces/libpq \
 		&& MAKEFLAGS= && $(MAKE) MAKELEVEL=0 all-static-lib)
 	$(call gb_Trace_EndRange,postgresql,EXTERNAL)