If SELinux is enabled, make sure it is configured to allow OpenLDAP to use the certificates and the LDAPS port.
# setsebool -P allow_ldap_tls=on # semanage port -a -t ldap_port_t -p tcp 636 # semanage port -a -t ldap_port_t -p tcp 389 # semanage port -l | grep ldap
# vi certinfo.ldif dn: cn=config changetype: modify add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/pki/tls/certs/example.com_ca-bundle.pem - add: olcTLSCertificateFile olcTLSCertificateFile: /etc/pki/tls/certs/example.com.crt - add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/pki/tls/private/example.com.key # ldapmodify -Y EXTERNAL -H ldapi:/// -f certinfo.ldif # ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config olcTLSCACertificateFile olcTLSCertificateFile olcTLSCertificateKeyFile
Also check if LDAP server is listening on port 636 or not:
ss -ntlp | grep :636
If in case in your environment if slapd is not configured to use ldaps then you can edit /usr/lib/systemd/system/slapd.service. Look for the ExecStart line and modify it to include the desired port:
# vi /usr/lib/systemd/system/slapd.service ExecStart=/usr/sbin/slapd -u ldap -h "ldap:/// ldaps:/// ldapi:///"
After editing the slapd.service file, reload the systemd configuration to apply the changes:
# systemctl daemon-reload # systemctl restart slapd
Verify that OpenLDAP is now listening on the new ports using:
# ss -tulnp | grep slapd tcp LISTEN 0 2048 0.0.0.0:636 0.0.0.0:* users:(("slapd",pid=1376,fd=9)) tcp LISTEN 0 2048 0.0.0.0:389 0.0.0.0:* users:(("slapd",pid=1376,fd=7)) tcp LISTEN 0 2048 [::]:636 [::]:* users:(("slapd",pid=1376,fd=10)) tcp LISTEN 0 2048 [::]:389 [::]:* users:(("slapd",pid=1376,fd=8))
# firewall-cmd --permanent --add-port=389/tcp # firewall-cmd --permanent --add-port=636/tcp # firewall-cmd --reload