Here are the changes I'd review:
1. After installing the CA cert, did you create a hash link? E.g.,
/usr/sbin/cacertdir_rehash /etc/openldap/cacerts
2. Make sure you know the difference between /etc/ldap.conf and /etc/openldap/ldap.conf. The former is used by nss_ldap, the latter by openldap clients.
3. Does /etc/ldap.conf have all the correct TLS entries, e.g.,
ssl start_tls tls_checkpeer yes tls_cacertdir /etc/openldap/cacerts
Additionally, I've had trouble using the "uri" directive in /etc/ldap.conf, esp. with encrypted connections. The "host" and "port" directives have worked better for me.
4. Does /etc/pam.d/system-auth have pam_ldap.so entries for auth, account, password, and session?
5. Are you running nscd? (I've found it indispensable when working with network auth.)
6. Review the changes to /etc/nsswitch.conf to make sure that the passwd, shadow, and group entries all query ldap.
Thanks a lot for this check-list (I recommend it for others in the future).
I had already checked most of the points, but I still played around with your ideas, without success
But, this remark:
I've never done ldaps to port 636, only TLS to port 389, so some of my comments may be slightly off-base in your situtation.
made me think of checking what should be the difference between a START_TLS on a plain ldap port and ldaps on the ssl port
In /etc/ldap.conf:
for ldap + START_TLS this is indeed
ssl start_tls
but for ldaps (my case) this should be: ssl on
Changing the value of 'ssl' to 'on' solved my problem! (and this explains why my ldapsearch queries were working: as you pointed out, /etc/ldap.conf is for the configuration of nss_ldap)
IMHO, the comments in /etc/ldap.conf could be a bit more explicit on the 'on' value:
... # OpenLDAP SSL mechanism # start_tls mechanism uses the normal LDAP port, LDAPS typically 636 #ssl start_tls #ssl on ...
Thanks a lot for your help!