Does it work if you replace the 127.0.0.1 by server hostname?

I tried with FQDN, no change. Still says Can't contact LDAP server (-1).

It appears that the -h option has been removed from ldapsearch, so I can't try the non-URI option this article shows to see if I get the same error.

root@mail:~# lsof -i:636
COMMAND     PID     USER   FD   TYPE     DEVICE SIZE/OFF NODE NAME
slapd   4170517 openldap   11u  IPv4 1267723477      0t0  TCP *:ldaps (LISTEN)
slapd   4170517 openldap   12u  IPv6 1267723478      0t0  TCP *:ldaps (LISTEN)

root@mail:~# systemctl stop nftables
root@mail:~# ldapsearch -v -LL -x -z5 -H ldaps://127.0.0.1:636 -D 'cn=vmail,dc=mydomain,dc=com' -w "vmailldappassword" -b 'dc=mydomain,dc=com' -s sub '(&(objectclass=mailUser)(enabledService=nextcloud))'
ldap_initialize( ldaps://127.0.0.1:636/??base )
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

OpenLDAP is listening on 636. With NFTables turned off, the result is the same.

Did you toggle on the option "Enable LDAP over TLS (port 389) and SSL (636)" in `Server Settings` -> `LDAP Service`?

Yes, this was already on.

Did you try "-H ldaps://127.0.0.0:636"?

Just now, I did, with the same error resulting.

I have been able to integrate some other servers with the LDAP server running on my iRedMail Enterprise server using unencrypted ldap.

I wish to switch to ldaps on an integration, but I keep getting an error, from either the remote or local machine running an ldapsearch.

ldapsearch -x -b "dc=mydomain,dc=com" -H ldaps://127.0.0.0 -D "cn=vmail,dc=mydomain,dc=com" -W "(&(objectclass=mailUser)(enabledService=nextcloud))"
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

I have a valid certificate in slapd.conf.

I have ldaps:/// in the SLAPD_SERVICES line of /etc/default/slapd.

TCP ports 389 and 636 are open in the machine firewall.

lsof -i:636 shows that slapd is listening to port 636.

Any other troubleshooting steps I might try to get the iRedMail LDAP server to allow connections via ldaps://?