> Here are the changes I'd review: > > 1. After installing the CA cert, did you create a hash link? E.g., > > /usr/sbin/cacertdir_rehash /etc/openldap/cacerts > > 2. Make sure you know the difference between /etc/ldap.conf and > /etc/openldap/ldap.conf. The former is used by nss_ldap, the > latter by openldap clients. > > 3. Does /etc/ldap.conf have all the correct TLS entries, e.g., > > ssl start_tls > tls_checkpeer yes > tls_cacertdir /etc/openldap/cacerts > > Additionally, I've had trouble using the "uri" directive > in /etc/ldap.conf, esp. with encrypted connections. The > "host" and "port" directives have worked better for me. > > 4. Does /etc/pam.d/system-auth have pam_ldap.so entries for > auth, account, password, and session? > > 5. Are you running nscd? (I've found it indispensable when working > with network auth.) > > 6. Review the changes to /etc/nsswitch.conf to make sure that > the passwd, shadow, and group entries all query ldap. Thanks a lot for this check-list (I recommend it for others in the future). I had already checked most of the points, but I still played around with your ideas, without success But, this remark: > I've never done ldaps to port 636, only TLS to port 389, so some of my > comments may be slightly off-base in your situtation. made me think of checking what should be the difference between a START_TLS on a plain ldap port and ldaps on the ssl port In /etc/ldap.conf: for ldap + START_TLS this is indeed > ssl start_tls but for ldaps (my case) this should be: ssl on Changing the value of 'ssl' to 'on' solved my problem! (and this explains why my ldapsearch queries were working: as you pointed out, /etc/ldap.conf is for the configuration of nss_ldap) IMHO, the comments in /etc/ldap.conf could be a bit more explicit on the 'on' value: ... # OpenLDAP SSL mechanism # start_tls mechanism uses the normal LDAP port, LDAPS typically 636 #ssl start_tls #ssl on ... Thanks a lot for your help!