On Fri, 23 Jan 2009, Olf Epler wrote:

>  Hello,
>
> following the related parts of slapd.conf:
>
> TLSCACertificateFile    /usr/etc/openldap/CA/cacert.pem
> TLSCertificateFile      /usr/etc/openldap/CA/sacert.pem
> TLSCertificateKeyFile   /usr/etc/openldap/CA/sackey.pem
>
> The server runs as follows:
>
> /usr/libexec/slapd -u ldap -h ldap:/// ldaps:///
>
> Normally the port 389 (ldap:///) is closed.
>
> and ldap.conf:
>
> base            dc=organization,dc=com
> uri             ldaps://ldap_server.organizatiom.com
> sizelimit       0
> bind_policy     soft
> tls_cacert      /usr/etc/openldap/CA/cacert.pem
> tls_checkpeer   yes
>
> -> new
> ssl             yes
>
> The file cacert.pem is a self signed certificate I created
> together with sacert.pem and the key file sakey.pem.
>
> As I already wrote - exactly the same configuration works without
> any problems on different installations including SL-5.1.
> Therefore it's not clear for me why I have now to set the port option
> because I use uri!
>
> Regards, Olf Epler

The case I was thinking of was that in the changelog of nss_ldap it 
mentioned that 'port' in the ldap.conf was previously being ignored, so a 
config mentioning it might work and then stop after the upgrade (from 5.1 
to 5.2 say).

If you don't have port mentioned then it seems unlikely that is the issue.

Can you tell if the client is actually trying to connect to the ldap 
server - and if so check that it is doing so on the right address/port?

  -- Jon