diff --git a/doc/man/man3/ldap_get_option.3 b/doc/man/man3/ldap_get_option.3
index d760f418c6..8c9b5ee913 100644
--- a/doc/man/man3/ldap_get_option.3
+++ b/doc/man/man3/ldap_get_option.3
@@ -378,20 +378,6 @@ This option is OpenLDAP specific.
 .SH SASL OPTIONS
 The SASL options are OpenLDAP specific.
 .TP
-.B LDAP_OPT_X_SASL_MECH
-Gets the SASL mechanism;
-.BR outvalue
-must be a
-.BR "char **" ,
-its content needs to be freed by the caller.
-.TP
-.B LDAP_OPT_X_SASL_REALM
-Gets the SASL realm;
-.BR outvalue
-must be a
-.BR "char **" ,
-its content needs to be freed by the caller.
-.TP
 .B LDAP_OPT_X_SASL_AUTHCID
 Gets the SASL authentication identity;
 .BR outvalue
@@ -406,65 +392,6 @@ must be a
 .BR "char **" ,
 its content needs to be freed by the caller.
 .TP
-.B LDAP_OPT_X_SASL_SSF
-Gets the SASL SSF;
-.BR outvalue
-must be a
-.BR "int *" .
-.TP
-.B LDAP_OPT_X_SASL_SSF_EXTERNAL
-Sets the SASL SSF value related to an authentication
-performed using an EXTERNAL mechanism;
-.BR invalue
-must be a
-.BR "ber_len_t *" .
-.TP
-.B LDAP_OPT_X_SASL_SECPROPS
-Set the SASL secprops;
-.BR invalue
-must be a
-.BR "char *" ,
-containing a comma-separated list of properties.
-Legal values are:
-.BR none ,
-.BR nodict ,
-.BR noplain ,
-.BR noactive ,
-.BR passcred ,
-.BR forwardsec ,
-.BR noanonymous ,
-.BR minssf=<minssf> ,
-.BR maxssf=<maxssf> ,
-.BR maxbufsize=<maxbufsize> ,
-with
-.BR "minssf >= 0" ,
-.BR "maxssf <= 2**31 - 1" ,
-.BR "maxbufsize <= 65536" .
-.TP
-.B LDAP_OPT_X_SASL_SSF_MIN
-Gets/sets SASL minimum SSF;
-.BR invalue
-must be
-.BR "const ber_len_t *" ,
-while
-.BR outvalue
-must be
-.BR "ber_len_t *" .
-See also
-.BR LDAP_OPT_X_SASL_SECPROPS .
-.TP
-.B LDAP_OPT_X_SASL_SSF_MAX
-Gets/sets SASL maximum SSF;
-.BR invalue
-must be
-.BR "const ber_len_t *" ,
-while
-.BR outvalue
-must be
-.BR "ber_len_t *" .
-See also
-.BR LDAP_OPT_X_SASL_SECPROPS .
-.TP
 .B LDAP_OPT_X_SASL_MAXBUFSIZE
 Gets/sets SASL maximum buffer size;
 .BR invalue
@@ -477,6 +404,13 @@ must be
 See also
 .BR LDAP_OPT_X_SASL_SECPROPS .
 .TP
+.B LDAP_OPT_X_SASL_MECH
+Gets the SASL mechanism;
+.BR outvalue
+must be a
+.BR "char **" ,
+its content needs to be freed by the caller.
+.TP
 .B LDAP_OPT_X_SASL_MECHLIST
 Gets the list of the available mechanisms,
 in form of a NULL-terminated array of strings;
@@ -492,38 +426,226 @@ The value should either be
 or
 .BR LDAP_OPT_ON .
 .TP
+.B LDAP_OPT_X_SASL_REALM
+Gets the SASL realm;
+.BR outvalue
+must be a
+.BR "char **" ,
+its content needs to be freed by the caller.
+.TP
+.B LDAP_OPT_X_SASL_SECPROPS
+Sets the SASL secprops;
+.BR invalue
+must be a
+.BR "char *" ,
+containing a comma-separated list of properties.
+Legal values are:
+.BR none ,
+.BR nodict ,
+.BR noplain ,
+.BR noactive ,
+.BR passcred ,
+.BR forwardsec ,
+.BR noanonymous ,
+.BR minssf=<minssf> ,
+.BR maxssf=<maxssf> ,
+.BR maxbufsize=<maxbufsize> .
+.TP
+.B LDAP_OPT_X_SASL_SSF
+Gets the SASL SSF;
+.BR outvalue
+must be a
+.BR "ber_len_t *" .
+.TP
+.B LDAP_OPT_X_SASL_SSF_EXTERNAL
+Sets the SASL SSF value related to an authentication
+performed using an EXTERNAL mechanism;
+.BR invalue
+must be a
+.BR "ber_len_t *" .
+.TP
+.B LDAP_OPT_X_SASL_SSF_MAX
+Gets/sets SASL maximum SSF;
+.BR invalue
+must be
+.BR "const ber_len_t *" ,
+while
+.BR outvalue
+must be
+.BR "ber_len_t *" .
+See also
+.BR LDAP_OPT_X_SASL_SECPROPS .
+.TP
+.B LDAP_OPT_X_SASL_SSF_MIN
+Gets/sets SASL minimum SSF;
+.BR invalue
+must be
+.BR "const ber_len_t *" ,
+while
+.BR outvalue
+must be
+.BR "ber_len_t *" .
+See also
+.BR LDAP_OPT_X_SASL_SECPROPS .
+.TP
 .B LDAP_OPT_X_SASL_USERNAME
 Gets the SASL username;
 .BR outvalue
 must be a
 .BR "char **" .
-It points to memory that belongs to the handle;
-the caller must not muck with it.
+Its content needs to be freed by the caller.
 .SH TLS OPTIONS
 The TLS options are OpenLDAP specific.
-.TP
-.B LDAP_OPT_X_TLS
-Sets/gets the TLS mode, one of
-.BR LDAP_OPT_X_TLS_NEVER ,
-.BR LDAP_OPT_X_TLS_HARD ,
-.BR LDAP_OPT_X_TLS_DEMAND ,
-.BR LDAP_OPT_X_TLS_ALLOW ,
-.BR LDAP_OPT_X_TLS_TRY .
-.TP
-.B LDAP_OPT_X_TLS_CTX
-Sets/gets the OpenSSL CTX.
-.TP
-.B LDAP_OPT_X_TLS_CACERTFILE
-Sets/gets the full-path CA certificate file.
+.\".TP
+.\".B LDAP_OPT_X_TLS
+.\"Sets/gets the TLS mode.
 .TP
 .B LDAP_OPT_X_TLS_CACERTDIR
 Sets/gets the path of the directory containing CA certificates.
+.BR invalue
+must be
+.BR "const char *" ;
+.BR outvalue
+must be
+.BR "char **" ,
+and its contents need to be freed by the caller.
+.TP
+.B LDAP_OPT_X_TLS_CACERTFILE
+Sets/gets the full-path CA certificate file.
+.BR invalue
+must be
+.BR "const char *" ;
+.BR outvalue
+must be
+.BR "char **" ,
+and its contents need to be freed by the caller.
 .TP
 .B LDAP_OPT_X_TLS_CERTFILE
 Sets/gets the full-path certificate file.
+.BR invalue
+must be
+.BR "const char *" ;
+.BR outvalue
+must be
+.BR "char **" ,
+and its contents need to be freed by the caller.
+.TP
+.B LDAP_OPT_X_TLS_CIPHER_SUITE
+Sets/gets the allowed cipher suite.
+.BR invalue
+must be
+.BR "const char *" ;
+.BR outvalue
+must be
+.BR "char **" ,
+and its contents need to be freed by the caller.
+.TP
+.B LDAP_OPT_X_TLS_CONNECT_ARG
+Sets/gets the connection callback argument.
+.BR invalue
+must be
+.BR "const void *" ;
+.BR outvalue
+must be
+.BR "void **" .
+.TP
+.B LDAP_OPT_X_TLS_CONNECT_CB
+Sets/gets the connection callback handle.
+.BR invalue
+must be
+.BR "const LDAP_TLS_CONNECT_CB *" ;
+.BR outvalue
+must be
+.BR "LDAP_TLS_CONNECT_CB **" .
+.TP
+.B LDAP_OPT_X_TLS_CRLCHECK
+Sets/gets the CRL evaluation strategy, one of
+.BR LDAP_OPT_X_TLS_CRL_NONE ,
+.BR LDAP_OPT_X_TLS_CRL_PEER ,
+or
+.BR LDAP_OPT_X_TLS_CRL_ALL .
+.BR invalue
+must be
+.BR "const int *" ;
+.BR outvalue
+must be
+.BR "int *" .
+Requires OpenSSL.
+.TP
+.B LDAP_OPT_X_TLS_CRLFILE
+Sets/gets the full-path of the CRL file.
+.BR invalue
+must be
+.BR "const char *" ;
+.BR outvalue
+must be
+.BR "char **" ,
+and its contents need to be freed by the caller.
+This option is only valid for GNUtls.
+.TP
+.B LDAP_OPT_X_TLS_CTX
+Sets/gets the OpenSSL CTX.
+.BR invalue
+must be
+.BR "const void *" ;
+.BR outvalue
+must be
+.BR "void **" .
+.TP
+.B LDAP_OPT_X_TLS_DHFILE
+Gets/sets the full-path of the file containing the parameters
+for Diffie-Hellman ephemeral key exchange.
+.BR invalue
+must be
+.BR "const char *" ;
+.BR outvalue
+must be
+.BR "char **" ,
+and its contents need to be freed by the caller.
+Ignored by GNUtls.
 .TP
 .B LDAP_OPT_X_TLS_KEYFILE
 Sets/gets the full-path certificate key file.
+.BR invalue
+must be
+.BR "const char *" ;
+.BR outvalue
+must be
+.BR "char **" ,
+and its contents need to be freed by the caller.
+.TP
+.B LDAP_OPT_X_TLS_NEWCTX
+Instructs the library to create a new TLS CTX.
+.BR invalue
+must be
+.BR "const int *" .
+A non-zero value pointed to by
+.BR invalue
+tells the library to create a CTX for a server.
+.TP
+.B LDAP_OPT_X_TLS_PROTOCOL_MIN
+Sets/gets the minimum protocol version.
+.BR invalue
+must be
+.BR "const int *" ;
+.BR outvalue
+must be
+.BR "int *" .
+.TP
+.B LDAP_OPT_X_TLS_RANDOM_FILE
+Sets/gets the random file when
+.I /dev/random
+and
+.I /dev/urandom
+are not available.
+.BR invalue
+must be
+.BR "const char *" ;
+.BR outvalue
+must be
+.BR "char **" ,
+and its contents need to be freed by the caller.
+Ignored by GNUtls.
 .TP
 .B LDAP_OPT_X_TLS_REQUIRE_CERT
 Sets/gets the peer certificate checking strategy,
@@ -534,53 +656,11 @@ one of
 .BR LDAP_OPT_X_TLS_ALLOW ,
 .BR LDAP_OPT_X_TLS_TRY .
 .TP
-.B LDAP_OPT_X_TLS_PROTOCOL_MIN
-Sets/gets the minimum protocol version.
-.TP
-.B LDAP_OPT_X_TLS_CIPHER_SUITE
-Sets/gets the allowed cipher suite.
-.TP
-.B LDAP_OPT_X_TLS_RANDOM_FILE
-Sets/gets the random file when
-.I /dev/random
-and
-.I /dev/urandom
-are not available.
-Ignored by GNUtls.
-.TP
 .B LDAP_OPT_X_TLS_SSL_CTX
-Sets/gets the OpenSSL SSL CTX.
-.TP
-.B LDAP_OPT_X_TLS_CRLCHECK
-Sets/gets the CRL evaluation strategy, one of
-.BR LDAP_OPT_X_TLS_CRL_NONE ,
-.BR LDAP_OPT_X_TLS_CRL_PEER ,
-or
-.BR LDAP_OPT_X_TLS_CRL_ALL .
-Requires OpenSSL.
-.TP
-.B LDAP_OPT_X_TLS_CONNECT_CB
-Sets/gets the connection callback.
-Currently not implemented.
-.TP
-.B LDAP_OPT_X_TLS_CONNECT_ARG
-Sets/gets the connection callback argument.
-Currently not implemented.
-.TP
-.B LDAP_OPT_X_TLS_DHFILE
-Gets/sets the full-path of the file containing the parameters
-for Diffie-Hellman ephemeral key exchange.
-Ignored by GNUtls.
-.TP
-.B LDAP_OPT_X_TLS_NEWCTX
-Instructs the library to create a new TLS CTX.
-A non-zero
-.BR invalue
-tells the library to create a CTX for a server.
-.TP
-.B LDAP_OPT_X_TLS_CRLFILE
-Sets/gets the full-path of the CRL file.
-This option is only valid for GNUtls.
+Gets the OpenSSL SSL CTX;
+.BR outvalue
+must be
+.BR "void **" .
 .SH ERRORS
 On success, the functions return
 .BR LDAP_OPT_SUCCESS ,