and TLS stuff:
------snip------- TLSCertificateFile /usr/share/ssl/certs/slapd.pem TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem ------snip-------
anything blatantly wrong here?
Your ACLs look fine. Is that certificate your old cert, or the one that's created for you on the new system? If the latter, you should create a new certificate that contains the FQDN of the server (as referenced by the LDAP clients) instead of 'localhost.localdomain'. This is noted as a warning somewhere... but I can't find it at the moment.
In any case, you should start by temporarily turning off SSL on the client side (put "ssl no" in the client /etc/ldap.conf file). That's not a 'safe' configuration, but it'll let you test the basic ldap functionality without worrying if SSL/TLS is the problem.
Are you also using ldap in nsswitch? If so you'll want to restart the client's nscd (if running) after you switch ldap.conf.
Note that ldapsearch uses /etc/openldap/ldap.conf, while PAM and NSS use /etc/ldap.conf, which are similar in format, but generally -not- identical.
As another easy thing to check, is the new server's firewall configured to let ports 389 (and possibly 636) in? Again, temporarily turning off iptables entirely can quickly determine if that's the problem.
